@reproapp/node-sdk 0.0.3 → 0.0.4

package/dist/privacy.js

@@ -0,0 +1,2868 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.applyRuntimePrivacyPolicyAsync = exports.applyRuntimePrivacyPolicy = exports.normalizeRuntimePrivacyPolicy = exports.fetchApprovedRuntimePrivacyPolicy = exports.resolvePrivacyApiBase = exports.normalizePrivacyEnvironment = exports.clearRuntimePrivacyProvenance = void 0;
+const crypto_1 = require("crypto");
+const privacy_fallback_1 = require("./privacy-fallback");
+const privacy_redaction_1 = require("./privacy-redaction");
+const EMPTY_RUNTIME_PRIVACY_POLICY = {
+    statements: [],
+    rawTextHints: [],
+};
+const RUNTIME_PRIVACY_PROVENANCE_MAX_ENTRIES = 1000;
+const RUNTIME_PRIVACY_PROVENANCE_MAX_SERIALIZED_LENGTH = 200000;
+let objectRuntimePrivacyProvenance = new WeakMap();
+const serializedRuntimePrivacyProvenance = new Map();
+function clearRuntimePrivacyProvenance() {
+    objectRuntimePrivacyProvenance = new WeakMap();
+    serializedRuntimePrivacyProvenance.clear();
+}
+exports.clearRuntimePrivacyProvenance = clearRuntimePrivacyProvenance;
+const ALL_SURFACES = [
+    'db.pk',
+    'db.before',
+    'db.after',
+    'db.query',
+    'db.resultMeta',
+    'db.error',
+    'request.headers',
+    'request.body',
+    'request.params',
+    'request.query',
+    'response.body',
+    'trace.args',
+    'trace.returnValue',
+    'trace.error',
+];
+const TARGET_PREFIXES = [
+    'outbound.http.headers',
+    'outbound.http.body',
+    'log.payload',
+    'request.headers',
+    'request.body',
+    'request.params',
+    'request.query',
+    'response.body',
+    'trace.returnValue',
+    'trace.args',
+    'trace.error',
+    'db.resultMeta',
+    'db.document',
+    'db.before',
+    'db.after',
+    'db.query',
+    'db.error',
+    'db.pk',
+    'request',
+    'response',
+    'trace',
+    'payload',
+    'config',
+    'env',
+];
+function normalizePrivacyEnvironment(input) {
+    const raw = input?.trim() ||
+        process.env.REPRO_PRIVACY_ENV ||
+        process.env.REPRO_ENV ||
+        process.env.NODE_ENV ||
+        'dev';
+    const normalized = raw.trim().toLowerCase();
+    if (normalized === 'development')
+        return 'dev';
+    if (normalized === 'production')
+        return 'prod';
+    if (normalized === 'staging' || normalized === 'stage')
+        return 'qa';
+    return normalized || 'dev';
+}
+exports.normalizePrivacyEnvironment = normalizePrivacyEnvironment;
+function resolvePrivacyApiBase(cfg) {
+    const value = cfg?.apiBase ||
+        process.env.REPRO_PRIVACY_API_BASE ||
+        process.env.REPRO_API_BASE ||
+        null;
+    if (!value || !String(value).trim()) {
+        return null;
+    }
+    return String(value).replace(/\/+$/, '');
+}
+exports.resolvePrivacyApiBase = resolvePrivacyApiBase;
+const DEFAULT_RUNTIME_PRIVACY_FETCH_TIMEOUT_MS = 2500;
+function resolveRuntimePrivacyFetchTimeoutMs(value) {
+    if (!Number.isFinite(value)) {
+        return DEFAULT_RUNTIME_PRIVACY_FETCH_TIMEOUT_MS;
+    }
+    const normalized = Math.trunc(Number(value));
+    if (normalized < 250) {
+        return 250;
+    }
+    return normalized;
+}
+async function fetchApprovedRuntimePrivacyPolicy(params) {
+    if (!params.appId || !params.appSecret || !params.apiBase) {
+        return {
+            status: 'disabled',
+            reason: !params.apiBase ? 'missing_config' : 'missing_credentials',
+        };
+    }
+    const url = `${params.apiBase}/v1/sdk/privacy-policy?environment=${encodeURIComponent(params.environment)}`;
+    const headers = {
+        accept: 'application/json',
+        'x-app-id': params.appId,
+        'x-app-secret': params.appSecret,
+    };
+    if (params.appName) {
+        headers['x-app-name'] = params.appName;
+    }
+    const controller = typeof AbortController !== 'undefined'
+        ? new AbortController()
+        : null;
+    const timeoutMs = resolveRuntimePrivacyFetchTimeoutMs(params.fetchTimeoutMs);
+    const timeout = controller
+        ? setTimeout(() => controller.abort(), timeoutMs)
+        : null;
+    try {
+        const response = await fetch(url, {
+            method: 'GET',
+            headers,
+            signal: controller?.signal,
+        });
+        if (!response.ok) {
+            return { status: 'http_error', httpStatus: response.status };
+        }
+        const payload = await response.json();
+        if (!payload?.enabled || !payload.policy) {
+            return { status: 'disabled', reason: 'no_policy' };
+        }
+        const policy = normalizeRuntimePrivacyPolicy(payload.policy);
+        if (!policy) {
+            return { status: 'disabled', reason: 'empty_policy' };
+        }
+        return { status: 'ok', policy };
+    }
+    catch (error) {
+        if (error?.name === 'AbortError') {
+            return { status: 'network_error', error: 'timeout' };
+        }
+        return { status: 'network_error', error: 'request_failed' };
+    }
+    finally {
+        if (timeout) {
+            clearTimeout(timeout);
+        }
+    }
+}
+exports.fetchApprovedRuntimePrivacyPolicy = fetchApprovedRuntimePrivacyPolicy;
+function normalizeRuntimePrivacyPolicy(raw) {
+    if (!raw || typeof raw !== 'object') {
+        return null;
+    }
+    const policy = raw;
+    const flattened = flattenStatements(policy);
+    const rawTextHints = normalizeRawTextHints(policy.rawTextHints);
+    const statements = flattened
+        .map((entry, index) => normalizeStatement(entry, index))
+        .filter((entry) => entry !== null)
+        .sort((left, right) => left.priority - right.priority);
+    if (!statements.length) {
+        return null;
+    }
+    return {
+        environment: typeof policy.environment === 'string' ? policy.environment : undefined,
+        strength: policy.strength === 'weak' || policy.strength === 'medium' || policy.strength === 'strict'
+            ? policy.strength
+            : undefined,
+        statements,
+        rawTextHints,
+    };
+}
+exports.normalizeRuntimePrivacyPolicy = normalizeRuntimePrivacyPolicy;
+function applyRuntimePrivacyPolicy(policy, surface, value, context) {
+    if (value === undefined) {
+        return value;
+    }
+    return transformValue(policy ?? EMPTY_RUNTIME_PRIVACY_POLICY, surface, value, context, []);
+}
+exports.applyRuntimePrivacyPolicy = applyRuntimePrivacyPolicy;
+async function applyRuntimePrivacyPolicyAsync(policy, surface, value, context) {
+    if (value === undefined) {
+        return value;
+    }
+    return transformValueAsync(policy ?? EMPTY_RUNTIME_PRIVACY_POLICY, surface, value, context, []);
+}
+exports.applyRuntimePrivacyPolicyAsync = applyRuntimePrivacyPolicyAsync;
+function flattenStatements(policy) {
+    const fromGroups = Array.isArray(policy.groups)
+        ? policy.groups.flatMap((group) => Array.isArray(group?.statements) ? group.statements : [])
+        : [];
+    if (fromGroups.length) {
+        return fromGroups;
+    }
+    return Array.isArray(policy.statements) ? policy.statements : [];
+}
+function normalizeStatement(input, index) {
+    const scope = input?.when?.scope;
+    const selector = typeof input?.when?.selector === 'string' ? input.when.selector.trim() : '';
+    const action = input?.apply?.action;
+    if (!selector ||
+        (scope !== 'FIELD' &&
+            scope !== 'FUNCTION' &&
+            scope !== 'ROUTE' &&
+            scope !== 'SCHEMA' &&
+            scope !== 'QUERY' &&
+            scope !== 'PATTERN') ||
+        (action !== 'KEEP_EXACT' && action !== 'TOKENIZE' && action !== 'SUMMARIZE' && action !== 'DROP')) {
+        return null;
+    }
+    const pattern = typeof input?.when?.pattern === 'string' && input.when.pattern.trim()
+        ? safeRegExp(input.when.pattern)
+        : undefined;
+    const targetMatchers = parseTargetMatchers(typeof input?.when?.target === 'string' ? input.when.target : '');
+    const selectorTokens = selector
+        .split('|')
+        .map((part) => part.trim())
+        .filter(Boolean)
+        .map((part) => (scope === 'FIELD' ? normalizeFieldSelectorToken(part) : part))
+        .filter(Boolean);
+    let selectorLeaves = selectorTokens
+        .map((part) => {
+        const normalized = part.replace(/\s*->.*$/, '').trim();
+        const lastDot = normalized.lastIndexOf('.');
+        return lastDot >= 0 ? normalized.slice(lastDot + 1) : normalized;
+    })
+        .filter(Boolean);
+    if (scope === 'FIELD' && targetMatchers.length) {
+        const targetLeaves = targetMatchers
+            .flatMap((matcher) => {
+            const leaf = matcher.path?.[matcher.path.length - 1] ?? '';
+            if (!leaf || leaf === '*' || /^\d+$/.test(leaf)) {
+                return [];
+            }
+            return [leaf];
+        });
+        if (targetLeaves.length) {
+            selectorLeaves = Array.from(new Set([...selectorLeaves, ...targetLeaves]));
+        }
+    }
+    return {
+        sid: typeof input.sid === 'string' ? input.sid : `${String(scope).toLowerCase()}-${index + 1}`,
+        scope,
+        selector,
+        action,
+        priority: typeof input?.meta?.priority === 'number' && Number.isFinite(input.meta.priority)
+            ? input.meta.priority
+            : index + 1,
+        pattern,
+        selectorTokens,
+        selectorLeaves,
+        targetMatchers,
+        textPolicy: normalizeTextPolicy(input?.apply?.textPolicy ?? input?.textPolicy),
+        rawTextMode: normalizeRawTextMode(input?.apply?.rawTextMode ?? input?.rawTextMode),
+        rawTextHintNames: normalizeRawTextHintNames(input?.meta?.review?.rawTextHintNames),
+        descendantRawTextMode: normalizeRawTextMode(input?.apply?.descendantRawTextMode ?? input?.descendantRawTextMode),
+    };
+}
+function resolveEffectiveAction(baseAction, value, path) {
+    const safetyFloor = deriveSensitiveLeafFloorAction(value, path);
+    if (!safetyFloor) {
+        return baseAction;
+    }
+    if (!baseAction) {
+        return safetyFloor;
+    }
+    if (baseAction === 'KEEP_EXACT') {
+        return safetyFloor === 'SUMMARIZE' ? baseAction : safetyFloor;
+    }
+    if (baseAction === 'DROP') {
+        return baseAction;
+    }
+    if (safetyFloor === 'DROP') {
+        return 'DROP';
+    }
+    if (safetyFloor === 'TOKENIZE' && baseAction === 'SUMMARIZE') {
+        return 'TOKENIZE';
+    }
+    return baseAction;
+}
+function deriveSensitiveLeafFloorAction(value, path) {
+    if (!path.length) {
+        return null;
+    }
+    if (value !== null && typeof value === 'object') {
+        return null;
+    }
+    const comparablePath = normalizeComparablePath(path);
+    if (!comparablePath) {
+        return null;
+    }
+    if (DROP_SAFETY_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return 'DROP';
+    }
+    if (TOKENIZE_SAFETY_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return 'TOKENIZE';
+    }
+    if (typeof value === 'string') {
+        if (looksLikeEmail(value)) {
+            return 'TOKENIZE';
+        }
+        if (looksLikeConnectionString(value)) {
+            return 'DROP';
+        }
+        if (FREE_TEXT_FALLBACK_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+            return 'SUMMARIZE';
+        }
+    }
+    return null;
+}
+function transformValue(policy, surface, value, context, path, fallbackInput = null) {
+    const fallback = resolveTransformFallback(value, fallbackInput);
+    const objectId = coercePrivacyObjectId(value);
+    if (objectId !== null) {
+        value = objectId;
+    }
+    value = normalizeEncodedCollectionForPrivacy(value);
+    const statement = matchStatement(policy, surface, value, context, path);
+    if (statement?.textPolicy?.mode === 'KNOWN_TEMPLATE' && typeof value === 'string') {
+        return applyKnownTextPolicy(statement.textPolicy, value, context, surface, path);
+    }
+    let currentValue = value;
+    const action = resolveEffectiveAction(statement?.action ?? fallback?.action, currentValue, path);
+    const deferKnownStringDetectors = shouldDeferKnownStringDetectorsToRawHints(statement, fallback);
+    if (typeof currentValue === 'string' && action !== 'DROP' && action !== 'TOKENIZE') {
+        const structured = transformSerializedStructuredString(policy, surface, currentValue, context, path, serializedStringFallbackForStatement(statement, action, fallback));
+        if (structured !== null) {
+            return structured;
+        }
+        if (!deferKnownStringDetectors) {
+            const detected = sanitizeTextWithKnownDetectorsSync(currentValue, path);
+            if (detected !== currentValue && (action === 'KEEP_EXACT' || !action) && !statement?.descendantRawTextMode) {
+                return detected;
+            }
+            currentValue = detected;
+        }
+    }
+    if (typeof currentValue === 'string' && (action === 'DROP' || action === 'TOKENIZE')) {
+        const structured = transformSerializedStructuredStringAsChildren(policy, surface, currentValue, context, path);
+        if (structured !== null) {
+            return structured;
+        }
+    }
+    if (shouldPreserveBroadContainerSurface(statement, action, surface, currentValue, path)) {
+        return transformChildrenExact(policy, surface, currentValue, context, path, childFallbackForExact(statement, action, fallback));
+    }
+    if (typeof currentValue === 'string' && action === 'KEEP_EXACT' && statement?.descendantRawTextMode) {
+        return summarizeValue(policy, currentValue, context, surface, path, { rawTextMode: statement.descendantRawTextMode });
+    }
+    if (action === 'KEEP_EXACT') {
+        return transformChildrenExact(policy, surface, currentValue, context, path, childFallbackForExact(statement, action, fallback));
+    }
+    if (action === 'DROP') {
+        return '[dropped]';
+    }
+    if (action === 'TOKENIZE') {
+        if (isStructuredPrivacyContainer(currentValue)) {
+            return transformChildrenWithFallback(policy, surface, currentValue, context, path, 'TOKENIZE');
+        }
+        return tokenizeValue(currentValue, context, surface, path);
+    }
+    if (action === 'SUMMARIZE') {
+        const summaryPolicy = summaryPolicyFor(statement, fallback);
+        const summaryFallback = summaryFallbackForPolicy(summaryPolicy);
+        if (isStructuredPrivacyContainer(currentValue) && summaryFallback) {
+            return transformChildrenExact(policy, surface, currentValue, context, path, summaryFallback);
+        }
+        if (!statement && fallback?.action === 'SUMMARIZE' && isStructuredPrivacyContainer(currentValue)) {
+            return transformChildrenExact(policy, surface, currentValue, context, path, fallback);
+        }
+        return summarizeValue(policy, currentValue, context, surface, path, summaryPolicy);
+    }
+    return transformChildrenExact(policy, surface, currentValue, context, path, fallback);
+}
+async function transformValueAsync(policy, surface, value, context, path, fallbackInput = null) {
+    const fallback = resolveTransformFallback(value, fallbackInput);
+    const objectId = coercePrivacyObjectId(value);
+    if (objectId !== null) {
+        value = objectId;
+    }
+    value = normalizeEncodedCollectionForPrivacy(value);
+    const statement = matchStatement(policy, surface, value, context, path);
+    if (statement?.textPolicy?.mode === 'KNOWN_TEMPLATE' && typeof value === 'string') {
+        return applyKnownTextPolicy(statement.textPolicy, value, context, surface, path);
+    }
+    let currentValue = value;
+    const action = resolveEffectiveAction(statement?.action ?? fallback?.action, currentValue, path);
+    const deferKnownStringDetectors = shouldDeferKnownStringDetectorsToRawHints(statement, fallback);
+    let syncDetectorChanged = false;
+    if (typeof currentValue === 'string' && action !== 'DROP' && action !== 'TOKENIZE') {
+        const structured = await transformSerializedStructuredStringAsync(policy, surface, currentValue, context, path, serializedStringFallbackForStatement(statement, action, fallback));
+        if (structured !== null) {
+            return structured;
+        }
+    }
+    if (typeof currentValue === 'string' && action !== 'DROP' && action !== 'TOKENIZE' && !deferKnownStringDetectors) {
+        const syncDetected = sanitizeTextWithKnownDetectorsSync(currentValue, path);
+        if (syncDetected !== currentValue) {
+            currentValue = syncDetected;
+            syncDetectorChanged = true;
+        }
+    }
+    if (typeof currentValue === 'string' &&
+        shouldRunAsyncStringDetector(statement, fallback, currentValue, path) &&
+        action !== 'DROP' &&
+        action !== 'TOKENIZE' &&
+        !deferKnownStringDetectors) {
+        const skipAsyncDetector = syncDetectorChanged && !hasPotentialSensitiveLeak(currentValue);
+        if (!skipAsyncDetector) {
+            const detected = await (0, privacy_fallback_1.sanitizeUnknownBoundaryTextWithDetectors)(currentValue);
+            if (detected !== currentValue) {
+                currentValue = detected;
+            }
+        }
+    }
+    if (typeof currentValue === 'string' && (action === 'DROP' || action === 'TOKENIZE')) {
+        const structured = await transformSerializedStructuredStringAsChildrenAsync(policy, surface, currentValue, context, path);
+        if (structured !== null) {
+            return structured;
+        }
+    }
+    if (shouldPreserveBroadContainerSurface(statement, action, surface, currentValue, path)) {
+        return transformChildrenExactAsync(policy, surface, currentValue, context, path, childFallbackForExact(statement, action, fallback));
+    }
+    if (typeof currentValue === 'string' && action === 'KEEP_EXACT' && statement?.descendantRawTextMode) {
+        return summarizeValueAsync(policy, currentValue, context, surface, path, { rawTextMode: statement.descendantRawTextMode });
+    }
+    if (action === 'KEEP_EXACT') {
+        return transformChildrenExactAsync(policy, surface, currentValue, context, path, childFallbackForExact(statement, action, fallback));
+    }
+    if (action === 'DROP') {
+        return '[dropped]';
+    }
+    if (action === 'TOKENIZE') {
+        if (isStructuredPrivacyContainer(currentValue)) {
+            return transformChildrenWithFallbackAsync(policy, surface, currentValue, context, path, 'TOKENIZE');
+        }
+        return tokenizeValue(currentValue, context, surface, path);
+    }
+    if (action === 'SUMMARIZE') {
+        const summaryPolicy = summaryPolicyFor(statement, fallback);
+        const summaryFallback = summaryFallbackForPolicy(summaryPolicy);
+        if (isStructuredPrivacyContainer(currentValue) && summaryFallback) {
+            return transformChildrenExactAsync(policy, surface, currentValue, context, path, summaryFallback);
+        }
+        if (!statement && fallback?.action === 'SUMMARIZE' && isStructuredPrivacyContainer(currentValue)) {
+            return transformChildrenExactAsync(policy, surface, currentValue, context, path, fallback);
+        }
+        return summarizeValueAsync(policy, currentValue, context, surface, path, summaryPolicy);
+    }
+    return transformChildrenExactAsync(policy, surface, currentValue, context, path, fallback);
+}
+function resolveTransformFallback(value, input) {
+    const explicit = normalizeTransformFallback(input);
+    if (explicit) {
+        rememberRuntimePrivacyProvenance(value, explicit);
+        return explicit;
+    }
+    return getRuntimePrivacyProvenance(value);
+}
+function normalizeTransformFallback(input) {
+    if (!input) {
+        return null;
+    }
+    if (typeof input === 'string') {
+        return { action: input };
+    }
+    return input;
+}
+function childFallbackForExact(statement, action, inherited) {
+    if (statement) {
+        if (action === 'KEEP_EXACT' && statement.descendantRawTextMode) {
+            const mergedRawTextMode = mergeRawTextMode(statement.descendantRawTextMode, inherited?.rawTextMode);
+            const inheritedWins = inherited !== null &&
+                inherited.rawTextMode === mergedRawTextMode &&
+                inherited.rawTextMode !== statement.descendantRawTextMode;
+            return {
+                action: 'SUMMARIZE',
+                rawTextMode: mergedRawTextMode,
+                rawTextHintNames: inheritedWins ? inherited.rawTextHintNames : statement.rawTextHintNames,
+                sourceSid: inheritedWins ? inherited.sourceSid : statement.sid,
+                sourceSelector: inheritedWins ? inherited.sourceSelector : statement.selector,
+            };
+        }
+        return action === 'KEEP_EXACT' ? inherited : null;
+    }
+    return inherited;
+}
+function summaryPolicyFor(statement, fallback) {
+    if (statement) {
+        if (statement.textPolicy) {
+            return statement;
+        }
+        const rawTextMode = mergeRawTextMode(statement.rawTextMode, fallback?.rawTextMode);
+        return rawTextMode ? { ...statement, rawTextMode } : statement;
+    }
+    return fallback?.rawTextMode
+        ? { rawTextMode: fallback.rawTextMode, rawTextHintNames: fallback.rawTextHintNames }
+        : null;
+}
+function shouldDeferKnownStringDetectorsToRawHints(statement, fallback) {
+    return mergeRawTextMode(statement?.rawTextMode, fallback?.rawTextMode) === 'REGEX_ASSISTED_EXACT';
+}
+function mergeRawTextMode(primary, inherited) {
+    if (primary === 'REGEX_ASSISTED_EXACT' || inherited === 'REGEX_ASSISTED_EXACT') {
+        return 'REGEX_ASSISTED_EXACT';
+    }
+    return primary ?? inherited;
+}
+function summaryFallbackForPolicy(policy) {
+    return policy?.rawTextMode
+        ? { action: 'SUMMARIZE', rawTextMode: policy.rawTextMode, rawTextHintNames: policy.rawTextHintNames }
+        : null;
+}
+function serializedStringFallbackForStatement(statement, action, inherited) {
+    if (!statement || action === 'DROP' || action === 'TOKENIZE') {
+        return inherited;
+    }
+    const rawTextMode = mergeRawTextMode(statement.rawTextMode, inherited?.rawTextMode);
+    if (!rawTextMode) {
+        return inherited;
+    }
+    const inheritedWins = inherited !== null &&
+        inherited.rawTextMode === rawTextMode &&
+        inherited.rawTextMode !== statement.rawTextMode;
+    return {
+        action: 'SUMMARIZE',
+        rawTextMode,
+        rawTextHintNames: inheritedWins ? inherited.rawTextHintNames : statement.rawTextHintNames,
+        sourceSid: inheritedWins ? inherited.sourceSid : statement.sid,
+        sourceSelector: inheritedWins ? inherited.sourceSelector : statement.selector,
+    };
+}
+function isRuntimePrivacyProvenanceFallback(fallback) {
+    return Boolean(fallback && fallback.action === 'SUMMARIZE' && fallback.rawTextMode);
+}
+function rememberRuntimePrivacyProvenance(value, fallback) {
+    if (!isRuntimePrivacyProvenanceFallback(fallback)) {
+        return;
+    }
+    const provenance = {
+        action: fallback.action,
+        rawTextMode: fallback.rawTextMode,
+        sourceSid: fallback.sourceSid,
+        sourceSelector: fallback.sourceSelector,
+        inherited: true,
+    };
+    if (value && typeof value === 'object') {
+        objectRuntimePrivacyProvenance.set(value, provenance);
+    }
+    rememberSerializedRuntimePrivacyProvenance(value, provenance);
+}
+function getRuntimePrivacyProvenance(value) {
+    if (value && typeof value === 'object') {
+        const objectProvenance = objectRuntimePrivacyProvenance.get(value);
+        if (objectProvenance) {
+            return objectProvenance;
+        }
+    }
+    return lookupSerializedRuntimePrivacyProvenance(value);
+}
+function rememberSerializedRuntimePrivacyProvenance(value, provenance) {
+    for (const serialized of runtimePrivacyProvenanceSerializations(value)) {
+        const key = hashRuntimePrivacyProvenance(serialized);
+        if (!serializedRuntimePrivacyProvenance.has(key) && serializedRuntimePrivacyProvenance.size >= RUNTIME_PRIVACY_PROVENANCE_MAX_ENTRIES) {
+            const first = serializedRuntimePrivacyProvenance.keys().next().value;
+            if (first) {
+                serializedRuntimePrivacyProvenance.delete(first);
+            }
+        }
+        serializedRuntimePrivacyProvenance.set(key, provenance);
+    }
+}
+function lookupSerializedRuntimePrivacyProvenance(value) {
+    for (const serialized of runtimePrivacyProvenanceSerializations(value)) {
+        const provenance = serializedRuntimePrivacyProvenance.get(hashRuntimePrivacyProvenance(serialized));
+        if (provenance) {
+            return provenance;
+        }
+    }
+    return null;
+}
+function runtimePrivacyProvenanceSerializations(value) {
+    if (value === undefined || value === null) {
+        return [];
+    }
+    if (typeof value === 'string') {
+        if (!value || value.length > RUNTIME_PRIVACY_PROVENANCE_MAX_SERIALIZED_LENGTH) {
+            return [];
+        }
+        const out = [value];
+        const parsed = parseSerializedStructuredText(value);
+        if (parsed !== null) {
+            const stable = stableStringifyForRuntimePrivacyProvenance(parsed);
+            if (stable && stable !== value) {
+                out.push(stable);
+            }
+        }
+        return out;
+    }
+    if (!isStructuredPrivacyContainer(value)) {
+        return [];
+    }
+    const out = [];
+    const json = jsonStringifyForRuntimePrivacyProvenance(value);
+    if (json) {
+        out.push(json);
+    }
+    const stable = stableStringifyForRuntimePrivacyProvenance(value);
+    if (stable && stable !== json) {
+        out.push(stable);
+    }
+    return out;
+}
+function jsonStringifyForRuntimePrivacyProvenance(value) {
+    try {
+        const serialized = JSON.stringify(value);
+        return serialized && serialized.length <= RUNTIME_PRIVACY_PROVENANCE_MAX_SERIALIZED_LENGTH
+            ? serialized
+            : null;
+    }
+    catch {
+        return null;
+    }
+}
+function stableStringifyForRuntimePrivacyProvenance(value) {
+    try {
+        const seen = new WeakSet();
+        const serialized = stableStringifyForRuntimePrivacyProvenanceInner(value, seen);
+        return serialized && serialized.length <= RUNTIME_PRIVACY_PROVENANCE_MAX_SERIALIZED_LENGTH
+            ? serialized
+            : null;
+    }
+    catch {
+        return null;
+    }
+}
+function stableStringifyForRuntimePrivacyProvenanceInner(value, seen) {
+    if (value === undefined)
+        return 'undefined';
+    if (value === null)
+        return 'null';
+    if (typeof value === 'string' || typeof value === 'number' || typeof value === 'boolean') {
+        return String(value);
+    }
+    if (typeof value === 'bigint') {
+        return `${value.toString()}n`;
+    }
+    if (typeof value !== 'object') {
+        return String(value);
+    }
+    if (value instanceof Date) {
+        return value.toISOString();
+    }
+    if (value instanceof Error || isWeakCollection(value)) {
+        return null;
+    }
+    if (seen.has(value)) {
+        return null;
+    }
+    seen.add(value);
+    try {
+        if (Array.isArray(value)) {
+            const items = value.map((item) => stableStringifyForRuntimePrivacyProvenanceInner(item, seen));
+            if (items.some((item) => item === null)) {
+                return null;
+            }
+            return `[${items.join(',')}]`;
+        }
+        if (value instanceof Map) {
+            const entries = Array.from(value.entries())
+                .map(([key, child], index) => [
+                normalizeCollectionKeyForPrivacy(key, index),
+                stableStringifyForRuntimePrivacyProvenanceInner(child, seen),
+            ]);
+            if (entries.some(([, child]) => child === null)) {
+                return null;
+            }
+            return `{${entries.sort(([left], [right]) => left.localeCompare(right)).map(([key, child]) => `${key}:${child}`).join(',')}}`;
+        }
+        if (value instanceof Set) {
+            const items = Array.from(value.values()).map((item) => stableStringifyForRuntimePrivacyProvenanceInner(item, seen));
+            if (items.some((item) => item === null)) {
+                return null;
+            }
+            return `[${items.join(',')}]`;
+        }
+        const keys = Object.keys(value).sort();
+        const fields = [];
+        for (const key of keys) {
+            const child = stableStringifyForRuntimePrivacyProvenanceInner(value[key], seen);
+            if (child === null) {
+                return null;
+            }
+            fields.push(`${key}:${child}`);
+        }
+        return `{${fields.join(',')}}`;
+    }
+    finally {
+        seen.delete(value);
+    }
+}
+function hashRuntimePrivacyProvenance(serialized) {
+    return (0, crypto_1.createHash)('sha256').update(`runtime-privacy-provenance|${serialized}`).digest('hex');
+}
+function transformChildrenExact(policy, surface, value, context, path, fallback = null) {
+    rememberRuntimePrivacyProvenance(value, fallback);
+    if (Array.isArray(value)) {
+        return value.map((item, index) => transformValue(policy, surface, item, context, path.concat(String(index)), fallback));
+    }
+    if (value instanceof Map) {
+        const output = {};
+        let index = 0;
+        for (const [key, child] of value.entries()) {
+            const normalizedKey = normalizeCollectionKeyForPrivacy(key, index);
+            output[normalizedKey] = transformValue(policy, surface, child, context, path.concat(normalizedKey), fallback);
+            index += 1;
+        }
+        return output;
+    }
+    if (value instanceof Set) {
+        return Array.from(value.values()).map((item, index) => transformValue(policy, surface, item, context, path.concat(String(index)), fallback));
+    }
+    if (isWeakCollection(value)) {
+        return `[${getPrivacyConstructorName(value)}: uninspectable]`;
+    }
+    if (value && typeof value === 'object') {
+        if (value instanceof Date || value instanceof Error) {
+            return value;
+        }
+        const output = {};
+        for (const [key, child] of Object.entries(value)) {
+            output[key] = transformValue(policy, surface, child, context, path.concat(key), fallback);
+        }
+        return output;
+    }
+    return value;
+}
+function transformChildrenWithFallback(policy, surface, value, context, path, fallbackAction) {
+    if (Array.isArray(value)) {
+        return value.map((item, index) => transformValue(policy, surface, item, context, path.concat(String(index)), fallbackAction));
+    }
+    if (value instanceof Map) {
+        const output = {};
+        let index = 0;
+        for (const [key, child] of value.entries()) {
+            const normalizedKey = normalizeCollectionKeyForPrivacy(key, index);
+            output[normalizedKey] = transformValue(policy, surface, child, context, path.concat(normalizedKey), fallbackAction);
+            index += 1;
+        }
+        return output;
+    }
+    if (value instanceof Set) {
+        return Array.from(value.values()).map((item, index) => transformValue(policy, surface, item, context, path.concat(String(index)), fallbackAction));
+    }
+    if (isWeakCollection(value)) {
+        return transformValue(policy, surface, `[${getPrivacyConstructorName(value)}: uninspectable]`, context, path, fallbackAction);
+    }
+    if (value && typeof value === 'object') {
+        if (value instanceof Date || value instanceof Error) {
+            return transformValue(policy, surface, String(value), context, path, fallbackAction);
+        }
+        const output = {};
+        for (const [key, child] of Object.entries(value)) {
+            output[key] = transformValue(policy, surface, child, context, path.concat(key), fallbackAction);
+        }
+        return output;
+    }
+    return transformValue(policy, surface, value, context, path, fallbackAction);
+}
+async function transformChildrenExactAsync(policy, surface, value, context, path, fallback = null) {
+    rememberRuntimePrivacyProvenance(value, fallback);
+    if (Array.isArray(value)) {
+        return Promise.all(value.map((item, index) => transformValueAsync(policy, surface, item, context, path.concat(String(index)), fallback)));
+    }
+    if (value instanceof Map) {
+        const output = {};
+        let index = 0;
+        for (const [key, child] of value.entries()) {
+            const normalizedKey = normalizeCollectionKeyForPrivacy(key, index);
+            output[normalizedKey] = await transformValueAsync(policy, surface, child, context, path.concat(normalizedKey), fallback);
+            index += 1;
+        }
+        return output;
+    }
+    if (value instanceof Set) {
+        return Promise.all(Array.from(value.values()).map((item, index) => transformValueAsync(policy, surface, item, context, path.concat(String(index)), fallback)));
+    }
+    if (isWeakCollection(value)) {
+        return `[${getPrivacyConstructorName(value)}: uninspectable]`;
+    }
+    if (value && typeof value === 'object') {
+        if (value instanceof Date || value instanceof Error) {
+            return value;
+        }
+        const output = {};
+        for (const [key, child] of Object.entries(value)) {
+            output[key] = await transformValueAsync(policy, surface, child, context, path.concat(key), fallback);
+        }
+        return output;
+    }
+    return value;
+}
+async function transformChildrenWithFallbackAsync(policy, surface, value, context, path, fallbackAction) {
+    if (Array.isArray(value)) {
+        return Promise.all(value.map((item, index) => transformValueAsync(policy, surface, item, context, path.concat(String(index)), fallbackAction)));
+    }
+    if (value instanceof Map) {
+        const output = {};
+        let index = 0;
+        for (const [key, child] of value.entries()) {
+            const normalizedKey = normalizeCollectionKeyForPrivacy(key, index);
+            output[normalizedKey] = await transformValueAsync(policy, surface, child, context, path.concat(normalizedKey), fallbackAction);
+            index += 1;
+        }
+        return output;
+    }
+    if (value instanceof Set) {
+        return Promise.all(Array.from(value.values()).map((item, index) => transformValueAsync(policy, surface, item, context, path.concat(String(index)), fallbackAction)));
+    }
+    if (isWeakCollection(value)) {
+        return transformValueAsync(policy, surface, `[${getPrivacyConstructorName(value)}: uninspectable]`, context, path, fallbackAction);
+    }
+    if (value && typeof value === 'object') {
+        if (value instanceof Date || value instanceof Error) {
+            return transformValueAsync(policy, surface, String(value), context, path, fallbackAction);
+        }
+        const output = {};
+        for (const [key, child] of Object.entries(value)) {
+            output[key] = await transformValueAsync(policy, surface, child, context, path.concat(key), fallbackAction);
+        }
+        return output;
+    }
+    return transformValueAsync(policy, surface, value, context, path, fallbackAction);
+}
+function isStructuredPrivacyContainer(value) {
+    return (value !== null &&
+        typeof value === 'object' &&
+        !(value instanceof Date) &&
+        !(value instanceof Error));
+}
+function normalizeCollectionKeyForPrivacy(value, index) {
+    const objectId = coercePrivacyObjectId(value);
+    if (objectId !== null) {
+        return objectId;
+    }
+    if (typeof value === 'string' && value) {
+        return value;
+    }
+    if (typeof value === 'number' || typeof value === 'boolean' || typeof value === 'bigint') {
+        return String(value);
+    }
+    if (typeof value === 'symbol') {
+        return value.description ? `symbol:${value.description}` : `symbol:${index}`;
+    }
+    return `mapEntry${index}`;
+}
+function isWeakCollection(value) {
+    return value instanceof WeakMap || value instanceof WeakSet;
+}
+function getPrivacyConstructorName(value) {
+    return value?.constructor?.name || 'Object';
+}
+function normalizeEncodedCollectionForPrivacy(value) {
+    if (!value || typeof value !== 'object' || Array.isArray(value)) {
+        return value;
+    }
+    const type = typeof value.__type === 'string' ? value.__type : '';
+    if (type === 'Map' && Array.isArray(value.entries)) {
+        const output = {};
+        value.entries.forEach((entry, index) => {
+            if (!Array.isArray(entry) || !entry.length) {
+                return;
+            }
+            output[normalizeCollectionKeyForPrivacy(entry[0], index)] = entry[1];
+        });
+        return output;
+    }
+    if (type === 'Set' && Array.isArray(value.values)) {
+        return value.values;
+    }
+    return value;
+}
+function transformSerializedStructuredString(policy, surface, value, context, path, fallback = null) {
+    const parsed = parseSerializedStructuredText(value);
+    if (parsed === null) {
+        return null;
+    }
+    const transformed = transformValue(policy, surface, parsed, context, path, fallback);
+    if (stableStringify(transformed) === stableStringify(parsed)) {
+        return null;
+    }
+    return JSON.stringify(transformed);
+}
+async function transformSerializedStructuredStringAsync(policy, surface, value, context, path, fallback = null) {
+    const parsed = parseSerializedStructuredText(value);
+    if (parsed === null) {
+        return null;
+    }
+    const transformed = await transformValueAsync(policy, surface, parsed, context, path, fallback);
+    if (stableStringify(transformed) === stableStringify(parsed)) {
+        return null;
+    }
+    return JSON.stringify(transformed);
+}
+function transformSerializedStructuredStringAsChildren(policy, surface, value, context, path) {
+    const parsed = parseSerializedStructuredText(value);
+    if (parsed === null) {
+        return null;
+    }
+    const transformed = transformChildrenExact(policy, surface, parsed, context, path);
+    if (stableStringify(transformed) === stableStringify(parsed)) {
+        return null;
+    }
+    return JSON.stringify(transformed);
+}
+async function transformSerializedStructuredStringAsChildrenAsync(policy, surface, value, context, path) {
+    const parsed = parseSerializedStructuredText(value);
+    if (parsed === null) {
+        return null;
+    }
+    const transformed = await transformChildrenExactAsync(policy, surface, parsed, context, path);
+    if (stableStringify(transformed) === stableStringify(parsed)) {
+        return null;
+    }
+    return JSON.stringify(transformed);
+}
+function matchStatement(policy, surface, value, context, path) {
+    let candidates = [];
+    for (const statement of policy.statements) {
+        if (shouldIgnoreBroadContainerRuleOnDescendant(statement, surface, path)) {
+            continue;
+        }
+        let targetScore = bestTargetMatchScore(statement.targetMatchers, surface, path);
+        if (targetScore < 0 && statement.scope === 'FIELD') {
+            targetScore = relaxedFieldTargetMatchScore(statement, surface, path);
+        }
+        if (targetScore < 0) {
+            continue;
+        }
+        if (!matchesScope(statement, surface, value, context, path)) {
+            continue;
+        }
+        const selectorScore = matchSelectorSpecificity(statement, surface, context, path);
+        candidates.push({
+            statement,
+            targetScore,
+            score: targetScore * 1000 +
+                selectorScore +
+                semanticScopeSpecificity(statement) +
+                statementSpecificity(statement) -
+                statement.priority,
+        });
+    }
+    if (!candidates.length) {
+        return null;
+    }
+    candidates = candidates.filter(({ statement }) => !isBroadContextKeepExact(statement, surface, path));
+    if (!candidates.length) {
+        return null;
+    }
+    const textPolicyCandidates = typeof value === 'string'
+        ? candidates.filter(({ statement }) => statement.textPolicy?.mode === 'KNOWN_TEMPLATE')
+        : [];
+    if (textPolicyCandidates.length) {
+        candidates.length = 0;
+        candidates.push(...textPolicyCandidates);
+    }
+    const strongestProtectiveTargetScore = Math.max(-1, ...candidates
+        .filter(({ statement }) => statement.action !== 'KEEP_EXACT')
+        .map(({ targetScore }) => targetScore));
+    if (strongestProtectiveTargetScore >= 0) {
+        candidates = candidates.filter(({ statement, targetScore }) => statement.action !== 'KEEP_EXACT' || targetScore > strongestProtectiveTargetScore);
+    }
+    const hasNestedTransform = path.length > 0 && candidates.some(({ statement, targetScore }) => statement.action !== 'KEEP_EXACT' &&
+        (targetScore > 0 || statement.scope === 'FIELD' || statement.scope === 'PATTERN'));
+    const active = hasNestedTransform
+        ? candidates.filter((candidate) => !isBroadContextKeepExact(candidate.statement, surface, path))
+        : candidates;
+    const pool = active.length ? active : candidates;
+    let best = null;
+    for (const candidate of pool) {
+        if (!best || candidate.score > best.score) {
+            best = { statement: candidate.statement, score: candidate.score };
+        }
+    }
+    return best?.statement ?? null;
+}
+function semanticScopeSpecificity(statement) {
+    switch (statement.scope) {
+        case 'FIELD':
+            return 350;
+        case 'PATTERN':
+            return 325;
+        case 'SCHEMA':
+        case 'QUERY':
+            return 250;
+        default:
+            return 0;
+    }
+}
+function actionSpecificity(action) {
+    switch (action) {
+        case 'DROP':
+            return 300;
+        case 'TOKENIZE':
+            return 200;
+        case 'SUMMARIZE':
+            return 100;
+        case 'KEEP_EXACT':
+        default:
+            return 0;
+    }
+}
+function statementSpecificity(statement) {
+    let score = actionSpecificity(statement.action);
+    if (statement.textPolicy?.mode === 'KNOWN_TEMPLATE') {
+        score += 90;
+    }
+    score += rawTextModeSpecificity(statement.rawTextMode);
+    score += rawTextModeSpecificity(statement.descendantRawTextMode);
+    return score;
+}
+function rawTextModeSpecificity(mode) {
+    if (mode === 'REGEX_ASSISTED_EXACT') {
+        return 80;
+    }
+    if (mode === 'SAFE_PARTIAL_MASK') {
+        return 10;
+    }
+    return 0;
+}
+function shouldPreserveBroadContainerSurface(statement, action, surface, value, path) {
+    if (!statement || !action || action === 'KEEP_EXACT') {
+        return false;
+    }
+    if (action === 'TOKENIZE') {
+        return false;
+    }
+    if (value === null || value === undefined || typeof value !== 'object' || value instanceof Date || value instanceof Error) {
+        return false;
+    }
+    if (!hasStructuredContainerTargetMatch(statement.targetMatchers, surface, path)) {
+        return false;
+    }
+    return ((statement.scope === 'FUNCTION' && surface.startsWith('trace.')) ||
+        (statement.scope === 'ROUTE' && (surface.startsWith('request.') || surface === 'response.body')) ||
+        ((statement.scope === 'QUERY' || statement.scope === 'SCHEMA') && surface.startsWith('db.')));
+}
+function shouldIgnoreBroadContainerRuleOnDescendant(statement, surface, path) {
+    if (!path.length || statement.action === 'KEEP_EXACT') {
+        return false;
+    }
+    if (!hasStructuredContainerAncestorTarget(statement.targetMatchers, surface, path)) {
+        return false;
+    }
+    return ((statement.scope === 'FUNCTION' && surface.startsWith('trace.')) ||
+        (statement.scope === 'ROUTE' && (surface.startsWith('request.') || surface === 'response.body')) ||
+        ((statement.scope === 'QUERY' || statement.scope === 'SCHEMA') && surface.startsWith('db.')));
+}
+function matchSelectorSpecificity(statement, surface, context, path) {
+    switch (statement.scope) {
+        case 'FUNCTION': {
+            const fn = context.trace?.fn?.trim();
+            if (!fn) {
+                return 0;
+            }
+            const normalizedFn = normalizeFunctionSelector(fn);
+            let best = 0;
+            for (const selector of statement.selectorTokens) {
+                if (!functionSelectorMatches(selector, fn)) {
+                    continue;
+                }
+                const normalizedSelector = normalizeFunctionSelector(selector);
+                const dotCount = normalizedSelector.split('.').filter(Boolean).length;
+                const score = 400 + dotCount * 25 - (statement.selectorTokens.length - 1) * 50;
+                best = Math.max(best, score);
+            }
+            return best || (normalizedFn ? 1 : 0);
+        }
+        case 'FIELD': {
+            const leaf = path[path.length - 1] ?? '';
+            const joinedPath = normalizeComparablePath(path);
+            let best = 0;
+            for (const selector of statement.selectorLeaves) {
+                if (!tokenMatchesPathToken(selector, leaf, joinedPath)) {
+                    continue;
+                }
+                const normalizedSelector = normalizeComparableToken(selector);
+                const dotCount = normalizedSelector.split('.').filter(Boolean).length;
+                best = Math.max(best, 150 + dotCount * 15 - (statement.selectorLeaves.length - 1) * 10);
+            }
+            return best;
+        }
+        case 'ROUTE':
+            return 200 - (statement.selectorTokens.length - 1) * 25;
+        default:
+            return 0;
+    }
+}
+function isBroadContextKeepExact(statement, surface, path) {
+    if (statement.action !== 'KEEP_EXACT') {
+        return false;
+    }
+    if (statement.textPolicy?.mode === 'KNOWN_TEMPLATE') {
+        return false;
+    }
+    if (!path.length) {
+        return false;
+    }
+    if (hasSpecificExactTargetMatch(statement.targetMatchers, surface, path)) {
+        return false;
+    }
+    return (statement.scope === 'FIELD' ||
+        statement.scope === 'FUNCTION' ||
+        statement.scope === 'ROUTE' ||
+        statement.scope === 'SCHEMA' ||
+        statement.scope === 'QUERY');
+}
+function hasSpecificExactTargetMatch(matchers, surface, path) {
+    return matchers.some((matcher) => {
+        if (!matcher.surfaces.includes(surface) || !matcher.path || matcher.path.length !== path.length) {
+            return false;
+        }
+        return matcher.path.every((segment, index) => segment === path[index]);
+    });
+}
+function matchesScope(statement, surface, value, context, path) {
+    const leaf = path[path.length - 1] ?? '';
+    const joinedPath = normalizeComparablePath(path);
+    switch (statement.scope) {
+        case 'FIELD':
+            return matchesFieldScope(statement, surface, path, leaf, joinedPath);
+        case 'FUNCTION': {
+            if (!surface.startsWith('trace.'))
+                return false;
+            const fn = context.trace?.fn?.trim();
+            if (!fn)
+                return false;
+            return statement.selectorTokens.some((selector) => functionSelectorMatches(selector, fn));
+        }
+        case 'ROUTE':
+            return Boolean(context.routeKey &&
+                statement.selectorTokens.some((selector) => routeSelectorMatches(selector, context.routeKey)));
+        case 'SCHEMA':
+            return schemaSelectorMatches(statement.selectorTokens, surface, context, leaf, joinedPath);
+        case 'QUERY':
+            return querySelectorMatches(statement.selectorTokens, surface, context);
+        case 'PATTERN':
+            return patternMatches(statement.pattern, leaf, joinedPath, value);
+        default:
+            return false;
+    }
+}
+function matchesFieldScope(statement, surface, path, leaf, joinedPath) {
+    const selectorMatches = statement.selectorLeaves.some((token) => tokenMatchesPathToken(token, leaf, joinedPath));
+    if (!statement.targetMatchers.length) {
+        return selectorMatches;
+    }
+    const hasSpecificTargetMatch = statement.targetMatchers.some((matcher) => {
+        if (!matcher.surfaces.includes(surface) || !matcher.path || !matcher.path.length) {
+            return false;
+        }
+        return pathPatternMatches(matcher.path, path);
+    });
+    if (hasSpecificTargetMatch) {
+        return true;
+    }
+    return selectorMatches;
+}
+function hasStructuredContainerTargetMatch(matchers, surface, path) {
+    return matchers.some((matcher) => {
+        if (!matcher.surfaces.includes(surface)) {
+            return false;
+        }
+        if (!matcher.path || !matcher.path.length) {
+            return path.length === 0;
+        }
+        if (matcher.path.length !== path.length) {
+            return false;
+        }
+        return matcher.path.every((segment, index) => segment === path[index]);
+    });
+}
+function hasStructuredContainerAncestorTarget(matchers, surface, path) {
+    return matchers.some((matcher) => {
+        if (!matcher.surfaces.includes(surface)) {
+            return false;
+        }
+        if (!matcher.path || !matcher.path.length) {
+            return true;
+        }
+        if (matcher.path.length >= path.length) {
+            return false;
+        }
+        return matcher.path.every((segment, index) => segment === path[index]);
+    });
+}
+function schemaSelectorMatches(selectors, surface, context, leaf, joinedPath) {
+    if (surface.startsWith('db.')) {
+        const collection = String(context.db?.collection ?? '').toLowerCase();
+        if (collection && selectors.some((selector) => normalizeSchemaSelector(selector).toLowerCase() === collection)) {
+            return true;
+        }
+    }
+    return selectors.some((selector) => {
+        const normalized = normalizeSchemaSelector(selector);
+        if (tokenMatchesPathToken(normalized, leaf, joinedPath)) {
+            return true;
+        }
+        const fieldToken = normalized
+            .split(/[.\s/]+/)
+            .map((part) => part.trim())
+            .filter(Boolean)
+            .pop();
+        return fieldToken ? tokenMatchesPathToken(fieldToken, leaf, joinedPath) : false;
+    });
+}
+function querySelectorMatches(selectors, surface, context) {
+    if (!surface.startsWith('db.')) {
+        return false;
+    }
+    const haystack = [
+        String(context.db?.type ?? ''),
+        String(context.db?.collection ?? ''),
+        String(context.db?.op ?? ''),
+        String(context.trace?.fn ?? ''),
+    ]
+        .join(' ')
+        .toLowerCase();
+    return selectors.some((selector) => {
+        const normalized = normalizeQuerySelector(selector).trim().toLowerCase();
+        return normalized && haystack.includes(normalized);
+    });
+}
+function patternMatches(pattern, leaf, joinedPath, value) {
+    if (!pattern)
+        return false;
+    if (leaf && pattern.test(leaf))
+        return true;
+    if (joinedPath && pattern.test(joinedPath))
+        return true;
+    if (typeof value === 'string' && pattern.test(value))
+        return true;
+    return false;
+}
+function functionSelectorMatches(selector, fn) {
+    const normalizedSelector = normalizeFunctionSelector(selector);
+    const normalizedFn = normalizeFunctionSelector(fn);
+    if (!normalizedSelector || !normalizedFn) {
+        return false;
+    }
+    return normalizedFn === normalizedSelector
+        || normalizedFn.endsWith(`.${normalizedSelector}`)
+        || normalizedSelector.endsWith(`.${normalizedFn}`);
+}
+function normalizeFunctionSelector(value) {
+    return value
+        .trim()
+        .replace(/^fn:/i, '')
+        .replace(/^function[.:]/i, '')
+        .replace(/^method[.:]/i, '')
+        .replace(/(\.args.*|\.returnValue.*|\.return.*|\.error.*|\.log.*)$/i, '')
+        .trim();
+}
+function normalizeRouteSelector(value) {
+    return value.trim().replace(/^route:/i, '').trim();
+}
+function routeSelectorMatches(selector, routeKey) {
+    const normalizedSelector = normalizeRouteSelector(selector);
+    const normalizedRouteKey = routeKey.trim();
+    if (!normalizedSelector || !normalizedRouteKey) {
+        return false;
+    }
+    if (normalizedSelector === normalizedRouteKey) {
+        return true;
+    }
+    const escaped = normalizedSelector
+        .replace(/[.*+?^${}()|[\]\\]/g, '\\$&')
+        .replace(/:[A-Za-z_][A-Za-z0-9_]*/g, '[^\\s/]+');
+    try {
+        return new RegExp(`^${escaped}$`).test(normalizedRouteKey);
+    }
+    catch {
+        return false;
+    }
+}
+function normalizeSchemaSelector(value) {
+    return value.trim().replace(/^schema:/i, '').trim();
+}
+function normalizeQuerySelector(value) {
+    return value.trim().replace(/^query:/i, '').trim();
+}
+function normalizeFieldSelectorToken(value) {
+    return value
+        .trim()
+        .replace(/^field\s*:/i, '')
+        .replace(/^leaf\s*:/i, '')
+        .replace(/^path\s*:/i, '')
+        .replace(/^key\s*:/i, '')
+        .replace(/^property\s*:/i, '')
+        .replace(/^prop\s*:/i, '')
+        .trim();
+}
+function tokenMatchesPathToken(token, leaf, joinedPath) {
+    const normalizedToken = normalizeComparableToken(token);
+    if (!normalizedToken)
+        return false;
+    if (normalizeComparableToken(leaf) === normalizedToken)
+        return true;
+    return joinedPath === normalizedToken || joinedPath.endsWith(`.${normalizedToken}`);
+}
+function normalizeComparablePath(path) {
+    return path
+        .filter((segment) => segment !== '*' && !/^\d+$/.test(segment))
+        .map(normalizeComparableToken)
+        .filter(Boolean)
+        .join('.');
+}
+function normalizeComparableToken(value) {
+    return value
+        .trim()
+        .replace(/\s+/g, '')
+        .replace(/\[\*\]/g, '')
+        .replace(/\[\d+\]/g, '')
+        .replace(/^\$\.?/, '')
+        .replace(/^.*->/, '')
+        .replace(/\|/g, '')
+        .toLowerCase();
+}
+function relaxedFieldTargetMatchScore(statement, surface, path) {
+    if (!path.length) {
+        return -1;
+    }
+    const leaf = path[path.length - 1] ?? '';
+    const joinedPath = normalizeComparablePath(path);
+    const leafMatches = statement.selectorLeaves.some((token) => tokenMatchesPathToken(token, leaf, joinedPath));
+    if (!leafMatches) {
+        return -1;
+    }
+    if (statement.targetMatchers.length && !statement.targetMatchers.some((matcher) => matcher.surfaces.includes(surface))) {
+        return statement.action !== 'KEEP_EXACT' || statement.textPolicy ? 15 : -1;
+    }
+    let best = 25;
+    for (const matcher of statement.targetMatchers) {
+        if (!matcher.surfaces.includes(surface)) {
+            continue;
+        }
+        best = Math.max(best, relaxedSuffixSpecificity(matcher.path, path));
+    }
+    return best;
+}
+function relaxedSuffixSpecificity(pattern, path) {
+    if (!pattern || !pattern.length) {
+        return 25;
+    }
+    const normalizedPattern = pattern.filter((segment) => segment !== '*' && !/^\d+$/.test(segment));
+    const normalizedPath = path.filter((segment) => segment !== '*' && !/^\d+$/.test(segment));
+    if (!normalizedPattern.length || !normalizedPath.length) {
+        return 25;
+    }
+    let expectedIndex = normalizedPattern.length - 1;
+    let actualIndex = normalizedPath.length - 1;
+    let matched = 0;
+    while (expectedIndex >= 0 && actualIndex >= 0) {
+        if (normalizedPattern[expectedIndex] === normalizedPath[actualIndex]) {
+            matched += 1;
+            expectedIndex -= 1;
+            actualIndex -= 1;
+            continue;
+        }
+        actualIndex -= 1;
+    }
+    if (!matched) {
+        return 25;
+    }
+    return 25 + matched * 10;
+}
+function matchesTarget(matchers, surface, path) {
+    if (!matchers.length) {
+        return true;
+    }
+    return matchers.some((matcher) => {
+        if (!matcher.surfaces.includes(surface)) {
+            return false;
+        }
+        if (!matcher.path || !matcher.path.length) {
+            return true;
+        }
+        return pathPatternMatches(matcher.path, path);
+    });
+}
+function bestTargetMatchScore(matchers, surface, path) {
+    if (!matchers.length) {
+        return 0;
+    }
+    let best = -1;
+    for (const matcher of matchers) {
+        if (!matcher.surfaces.includes(surface)) {
+            continue;
+        }
+        if (!matcher.path || !matcher.path.length) {
+            best = Math.max(best, 0);
+            continue;
+        }
+        const specificity = pathPatternSpecificity(matcher.path, path);
+        best = Math.max(best, specificity);
+    }
+    return best;
+}
+function parseTargetMatchers(target) {
+    if (!target.trim()) {
+        return [];
+    }
+    return target
+        .split(/[|,+]/)
+        .map((part) => part.trim())
+        .filter(Boolean)
+        .flatMap(expandBraceExpression)
+        .map(parseTargetMatcher)
+        .filter((matcher) => matcher !== null);
+}
+function parseTargetMatcher(raw) {
+    const token = raw.trim();
+    if (!token) {
+        return null;
+    }
+    for (const prefix of TARGET_PREFIXES) {
+        if (token === prefix || token.startsWith(`${prefix}.`) || token.startsWith(`${prefix}[`)) {
+            return {
+                surfaces: resolveTargetSurfaces(prefix),
+                path: token === prefix ? null : parsePath(token.slice(prefix.length + (token[prefix.length] === '[' ? 0 : 1))),
+            };
+        }
+    }
+    return {
+        surfaces: ALL_SURFACES,
+        path: parsePath(token),
+    };
+}
+function resolveTargetSurfaces(prefix) {
+    switch (prefix) {
+        case 'request':
+            return ['request.headers', 'request.body', 'request.params', 'request.query'];
+        case 'response':
+            return ['response.body'];
+        case 'trace':
+        case 'log.payload':
+            return ['trace.args', 'trace.returnValue', 'trace.error'];
+        case 'db.document':
+        case 'payload':
+            return [
+                'db.before',
+                'db.after',
+                'db.query',
+                'db.resultMeta',
+                'request.body',
+                'response.body',
+                'trace.args',
+                'trace.returnValue',
+            ];
+        case 'request.headers':
+        case 'request.body':
+        case 'request.params':
+        case 'request.query':
+        case 'response.body':
+        case 'trace.args':
+        case 'trace.returnValue':
+        case 'trace.error':
+        case 'db.pk':
+        case 'db.before':
+        case 'db.after':
+        case 'db.query':
+        case 'db.resultMeta':
+        case 'db.error':
+            return [prefix];
+        default:
+            return ALL_SURFACES;
+    }
+}
+function pathPatternMatches(pattern, path) {
+    return pathPatternSpecificity(pattern, path) >= 0;
+}
+function pathPatternSpecificity(pattern, path) {
+    if (!pattern.length) {
+        return 0;
+    }
+    if (pattern.length > path.length) {
+        return -1;
+    }
+    let specificity = 0;
+    for (let index = 0; index < pattern.length; index += 1) {
+        const expected = pattern[index];
+        const actual = path[index];
+        if (expected === '*') {
+            continue;
+        }
+        if (expected !== actual) {
+            return -1;
+        }
+        specificity += 1;
+    }
+    return specificity * 100 + pattern.length;
+}
+function parsePath(value) {
+    return value
+        .trim()
+        .replace(/^\./, '')
+        .replace(/\[(\d+|\*)?\]/g, (_match, part) => `.${part || '*'}`)
+        .split('.')
+        .map((part) => part.trim())
+        .filter(Boolean);
+}
+function expandBraceExpression(value) {
+    const match = value.match(/\{([^{}]+)\}/);
+    if (!match) {
+        return [value];
+    }
+    const variants = match[1]
+        .split(',')
+        .map((part) => part.trim())
+        .filter(Boolean);
+    if (!variants.length) {
+        return [value.replace(match[0], '')];
+    }
+    return variants.flatMap((variant) => expandBraceExpression(value.replace(match[0], variant)));
+}
+function tokenizeValue(value, context, surface, path) {
+    if (typeof value === 'string') {
+        if (isAlreadyPrivacyToken(value)) {
+            return value;
+        }
+        if (looksLikeEmail(value)) {
+            return (0, privacy_redaction_1.redactEmailDeterministic)(value);
+        }
+    }
+    const namespace = `${surface}:${path.join('.') || '$'}`;
+    const token = stableToken(namespace, value, context);
+    if (typeof value === 'string') {
+        return `${path[path.length - 1] || 'tok'}_tok_${token}`;
+    }
+    if (typeof value === 'number' || typeof value === 'bigint') {
+        return `num_tok_${token}`;
+    }
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (Array.isArray(value)) {
+        return value.map(() => '[tokenized]');
+    }
+    if (value && typeof value === 'object') {
+        const output = {};
+        for (const key of Object.keys(value)) {
+            output[key] = '[tokenized]';
+        }
+        return output;
+    }
+    return {
+        type: typeof value,
+        token: `tok_${token}`,
+    };
+}
+function isAlreadyPrivacyToken(value) {
+    return /^(?:email_tok_|[A-Za-z0-9_.-]+_tok_|num_tok_|tok_)[a-f0-9]{8,}$/i.test(value.trim());
+}
+const SUMMARY_MAX_DEPTH = 8;
+const SUMMARY_MAX_KEYS = 40;
+const SUMMARY_MAX_ITEMS = 10;
+const EXACT_GLUE_WORDS = new Set([
+    'a',
+    'an',
+    'and',
+    'as',
+    'at',
+    'but',
+    'by',
+    'be',
+    'can',
+    'could',
+    'did',
+    'do',
+    'does',
+    'for',
+    'from',
+    'had',
+    'has',
+    'have',
+    'if',
+    'in',
+    'into',
+    'is',
+    'it',
+    'must',
+    'never',
+    'not',
+    'of',
+    'on',
+    'or',
+    'should',
+    'the',
+    'then',
+    'to',
+    'up',
+    'via',
+    'was',
+    'were',
+    'will',
+    'with',
+    'would',
+]);
+const SUMMARY_SAFE_PATH_PATTERNS = [
+    /(^|\.)(_?id|taskid|paymentid|orderid|invoiceid|shipmentid)$/i,
+    /(^|\.)(reference|paymentreference|code|sku)$/i,
+    /(^|\.)(eventid|eventtype)$/i,
+    /(^|\.)(status|taskstatus|rawgatewaystatus|priority|scenario|success|classification)$/i,
+    /(^|\.)(currency|method|source|service|channel|direction|topic|partition|offset)$/i,
+    /(^|\.)(amount|refundedamount|count|total|port)$/i,
+    /(^|\.)(messagekey)$/i,
+    /(^|\.)(timestamp|firsttimestamp|maxtimestamp|logappendtime|createdat|updatedat|processedat|refundedat)$/i,
+    /(^|\.)(tasktitle|title)$/i,
+    /(^|\.)(queue|safequeue|lane|safelane|region|saferegion|stage|workflowstage|x-workflow-stage|featureflag|safefeatureflag|reasoncode|shard)$/i,
+    /(^|\.)(provider|component|environment|step)$/i,
+];
+const SUMMARY_UNSAFE_PATH_PATTERNS = [
+    /(^|\.)(description|message|comment|note|statusnote|failurereason|reason|error)$/i,
+    /\bemail\b/i,
+    /\bname\b/i,
+    /\bphone\b/i,
+    /\baddress\b/i,
+    /\b(dob|birthdate|dateofbirth)\b/i,
+    /\btoken\b/i,
+    /\bsecret\b/i,
+    /\bpassword\b/i,
+    /\bconnection\b/i,
+    /\bdsn\b/i,
+    /\buri\b/i,
+    /\burl\b/i,
+    /\bcard(last4|number|expiry|cvv)?\b/i,
+];
+const DROP_SAFETY_PATH_PATTERNS = [
+    /(^|\.)(authorization|x[-_]?apikey|x[-_]?api[-_]?key|apikey|api[-_]?key|appsecret|secret|token|password|cookie|sessionid|credential|privatekey|refresh|refresh[-_]?token)$/i,
+    /(^|\.)([a-z0-9_-]*(auth|authorization|bearer)|[a-z0-9_-]*secret|[a-z0-9_-]*token|[a-z0-9_-]*password|[a-z0-9_-]*cookie|[a-z0-9_-]*credential)$/i,
+    /(^|\.)(providerconnection|rawgatewayconnection|connectionstring|connectionuri|connectionurl|dsn|uri)$/i,
+    /(^|\.)([a-z0-9_-]*(connection|dsn))$/i,
+    /(^|\.)(cardlast4|cardnumber|card[-_]?number|fullpan|pan|cvv|cvc|securitycode|expiry)$/i,
+];
+const TOKENIZE_SAFETY_PATH_PATTERNS = [
+    /(^|\.)([a-z0-9_-]*email|email)$/i,
+    /(^|\.)(customername|customer[-_]?name|operatorname|operator[-_]?name|username|user[-_]?name|fullname|full[-_]?name|firstname|first[-_]?name|lastname|last[-_]?name)$/i,
+    /(^|\.)(incidentownername|incident[-_]?owner[-_]?name|ownername|owner[-_]?name|displayname|display[-_]?name|contactname|contact[-_]?name|reviewername|reviewer[-_]?name|requestername|requester[-_]?name|approvername|approver[-_]?name|assigneename|assignee[-_]?name|analystname|analyst[-_]?name|agentname|agent[-_]?name|payername|payer[-_]?name|payeename|payee[-_]?name)$/i,
+    /(^|\.)(accountid|account[-_]?id|customerid|customer[-_]?id|userid|user[-_]?id|personid|person[-_]?id|profileid|profile[-_]?id|contactid|contact[-_]?id|externaluserid|external[-_]?user[-_]?id|externalcustomerid|external[-_]?customer[-_]?id)$/i,
+    /(^|\.)(customer|user|account|person|profile|contact|owner|incidentowner|operator|reviewer|requester|approver|assignee|analyst|agent|payer|payee)\.(id|name|displayname|fullname|firstname|lastname)$/i,
+];
+const FREE_TEXT_FALLBACK_PATH_PATTERNS = [
+    /(^|\.)(description|message|comment|note|statusnote|failurereason|reason|error)$/i,
+];
+const OPERATIONAL_SAFE_PATH_PATTERNS = [
+    /(^|\.)(_?id|taskid|paymentid|orderid|safeorderid|invoiceid|shipmentid|drillid|caseid)$/i,
+    /(^|\.)(reference|paymentreference|messagekey|cachekey|rediskey|key)$/i,
+    /(^|\.)(eventid|requestid|rid|traceid|spanid|parentspanid|correlationid)$/i,
+    /(^|\.)(timestamp|firsttimestamp|maxtimestamp|logappendtime|createdat|updatedat|processedat|occurredat|receivedat|sentat|startedat|endedat|completedat|queuedat|scheduledat|duedate)$/i,
+    /(^|\.)(x-repro-request-rid|x-repro-trace-id|x-bug-request-start|x-request-id|x-correlation-id)$/i,
+    /(^|\.)(status|taskstatus|rawgatewaystatus|classification|currency|method|priority|risklevel|severity|safeseverity|level|scenario)$/i,
+    /(^|\.)(queue|safequeue|lane|safelane|region|saferegion|stage|workflowstage|x-workflow-stage|featureflag|safefeatureflag|reasoncode|shard)$/i,
+    /(^|\.)(provider|component|environment|step)$/i,
+];
+const OPERATIONAL_ENUM_PATH_PATTERNS = [
+    /(^|\.)([a-z0-9_-]*(status|state|priority|severity|level|classification|category|scenario|phase|stage|mode|method|currency|queue|lane|region|environment|component|provider|service|source|channel|direction|reasoncode|featureflag|shard))$/i,
+];
+const OPERATIONAL_COUNT_PATH_PATTERNS = [
+    /(^|\.)([a-z0-9_-]*(count|total|attempt|attempts|retry|retries|limit|offset|partition|size|index|position))$/i,
+];
+const OPERATIONAL_TIMESTAMP_PATH_PATTERNS = [
+    /(^|\.)(timestamp|firsttimestamp|maxtimestamp|logappendtime|[a-z0-9_-]*(created|updated|processed|occurred|received|sent|started|ended|completed|queued|scheduled|due)at|duedate)$/i,
+];
+const OPERATIONAL_ID_VALUE_PATTERNS = [
+    /^[0-9a-f]{24}$/i,
+    /^[0-9a-f]{8}-[0-9a-f]{4}-[1-5][0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i,
+    /^S_[0-9a-f-]{16,}$/i,
+    /^A_\d+_[a-z0-9]+$/i,
+    /^\d{10,14}-[a-z0-9]+(?:-[a-z0-9]+)?$/i,
+    /^[A-Z][A-Z0-9]{1,15}-[A-Z0-9][A-Z0-9-]{1,31}$/,
+    /^[a-z][a-z0-9_-]*(?::[a-z0-9_-]+){1,}:[A-Za-z0-9_.-]{4,}$/i,
+];
+const SERIALIZED_STRUCTURED_TEXT_MAX_LENGTH = 200000;
+function summarizeValue(policy, value, context, surface, path, statement) {
+    const depth = path.length;
+    if (typeof value === 'string') {
+        const textPolicy = statement?.textPolicy;
+        if (textPolicy?.mode === 'KNOWN_TEMPLATE') {
+            return applyKnownTextPolicy(textPolicy, value, context, surface, path);
+        }
+        let text = value;
+        if (!statement?.rawTextMode && shouldKeepOperationalStringExact(value, path)) {
+            return value;
+        }
+        if (statement?.rawTextMode === 'REGEX_ASSISTED_EXACT' && policy.rawTextHints.length) {
+            return sanitizeRawTextExactSync(policy, value, context, surface, path, statement.rawTextHintNames);
+        }
+        const detected = sanitizeTextWithKnownDetectorsSync(value, path);
+        if (detected !== value) {
+            text = detected;
+        }
+        if (statement?.rawTextMode === 'SAFE_PARTIAL_MASK') {
+            if (shouldKeepSafePartialMaskStringExact(text, path)) {
+                return text;
+            }
+            return partiallyMaskUnknownString(text);
+        }
+        return text;
+    }
+    if (value === null || value === undefined) {
+        return value;
+    }
+    if (typeof value === 'number' || typeof value === 'bigint') {
+        return value;
+    }
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (value instanceof Date) {
+        return value.toISOString();
+    }
+    if (Array.isArray(value)) {
+        const visibleItems = value.slice(0, SUMMARY_MAX_ITEMS).map((item, index) => transformValue(policy, surface, item, context, path.concat(String(index)), 'SUMMARIZE'));
+        if (value.length > SUMMARY_MAX_ITEMS) {
+            visibleItems.push(`[truncated ${value.length - SUMMARY_MAX_ITEMS} items]`);
+        }
+        return visibleItems;
+    }
+    if (value instanceof Map) {
+        const fields = {};
+        let index = 0;
+        for (const [key, item] of value.entries()) {
+            if (index >= SUMMARY_MAX_KEYS)
+                break;
+            const normalizedKey = normalizeCollectionKeyForPrivacy(key, index);
+            fields[normalizedKey] = transformValue(policy, surface, item, context, path.concat(normalizedKey), 'SUMMARIZE');
+            index += 1;
+        }
+        if (value.size > SUMMARY_MAX_KEYS) {
+            fields.__reproTruncatedKeys = value.size - SUMMARY_MAX_KEYS;
+        }
+        return fields;
+    }
+    if (value instanceof Set) {
+        const visibleItems = Array.from(value.values()).slice(0, SUMMARY_MAX_ITEMS).map((item, index) => transformValue(policy, surface, item, context, path.concat(String(index)), 'SUMMARIZE'));
+        if (value.size > SUMMARY_MAX_ITEMS) {
+            visibleItems.push(`[truncated ${value.size - SUMMARY_MAX_ITEMS} items]`);
+        }
+        return visibleItems;
+    }
+    if (isWeakCollection(value)) {
+        return `[${getPrivacyConstructorName(value)}: uninspectable]`;
+    }
+    if (value instanceof Error) {
+        const output = {
+            name: value.name,
+            code: typeof value.code === 'string' || typeof value.code === 'number'
+                ? String(value.code)
+                : undefined,
+            status: typeof value.status === 'number'
+                ? value.status
+                : typeof value.statusCode === 'number'
+                    ? value.statusCode
+                    : undefined,
+            message: typeof value.message === 'string'
+                ? transformValue(policy, surface, value.message, context, path.concat('message'), 'SUMMARIZE')
+                : undefined,
+        };
+        return output;
+    }
+    if (value && typeof value === 'object') {
+        if (depth >= SUMMARY_MAX_DEPTH) {
+            return '[truncated object depth]';
+        }
+        const keys = Object.keys(value);
+        const visibleKeys = keys.slice(0, SUMMARY_MAX_KEYS);
+        const fields = {};
+        for (const key of visibleKeys) {
+            fields[key] = transformValue(policy, surface, value[key], context, path.concat(key), 'SUMMARIZE');
+        }
+        if (keys.length > SUMMARY_MAX_KEYS) {
+            fields.__reproTruncatedKeys = keys.length - SUMMARY_MAX_KEYS;
+        }
+        return fields;
+    }
+    return value;
+}
+async function summarizeValueAsync(policy, value, context, surface, path, statement) {
+    const depth = path.length;
+    if (typeof value === 'string') {
+        const textPolicy = statement?.textPolicy;
+        if (textPolicy?.mode === 'KNOWN_TEMPLATE') {
+            return applyKnownTextPolicy(textPolicy, value, context, surface, path);
+        }
+        let text = value;
+        if (!statement?.rawTextMode && shouldKeepOperationalStringExact(value, path)) {
+            return value;
+        }
+        if (statement?.rawTextMode === 'REGEX_ASSISTED_EXACT' && policy.rawTextHints.length) {
+            return sanitizeRawTextExactSync(policy, value, context, surface, path, statement.rawTextHintNames);
+        }
+        const syncDetected = sanitizeTextWithKnownDetectorsSync(value, path);
+        if (syncDetected !== value) {
+            text = syncDetected;
+        }
+        if (statement?.rawTextMode === 'SAFE_PARTIAL_MASK') {
+            const detected = await (0, privacy_fallback_1.sanitizeUnknownBoundaryTextWithDetectors)(text);
+            if (detected !== text) {
+                text = detected;
+            }
+            if (shouldKeepSafePartialMaskStringExact(text, path)) {
+                return text;
+            }
+            return partiallyMaskUnknownString(text);
+        }
+        return text;
+    }
+    if (value === null || value === undefined) {
+        return value;
+    }
+    if (typeof value === 'number' || typeof value === 'bigint') {
+        return value;
+    }
+    if (typeof value === 'boolean') {
+        return value;
+    }
+    if (value instanceof Date) {
+        return value.toISOString();
+    }
+    if (Array.isArray(value)) {
+        const visibleItems = await Promise.all(value.slice(0, SUMMARY_MAX_ITEMS).map((item, index) => transformValueAsync(policy, surface, item, context, path.concat(String(index)), 'SUMMARIZE')));
+        if (value.length > SUMMARY_MAX_ITEMS) {
+            visibleItems.push(`[truncated ${value.length - SUMMARY_MAX_ITEMS} items]`);
+        }
+        return visibleItems;
+    }
+    if (value instanceof Map) {
+        const fields = {};
+        let index = 0;
+        for (const [key, item] of value.entries()) {
+            if (index >= SUMMARY_MAX_KEYS)
+                break;
+            const normalizedKey = normalizeCollectionKeyForPrivacy(key, index);
+            fields[normalizedKey] = await transformValueAsync(policy, surface, item, context, path.concat(normalizedKey), 'SUMMARIZE');
+            index += 1;
+        }
+        if (value.size > SUMMARY_MAX_KEYS) {
+            fields.__reproTruncatedKeys = value.size - SUMMARY_MAX_KEYS;
+        }
+        return fields;
+    }
+    if (value instanceof Set) {
+        const visibleItems = await Promise.all(Array.from(value.values()).slice(0, SUMMARY_MAX_ITEMS).map((item, index) => transformValueAsync(policy, surface, item, context, path.concat(String(index)), 'SUMMARIZE')));
+        if (value.size > SUMMARY_MAX_ITEMS) {
+            visibleItems.push(`[truncated ${value.size - SUMMARY_MAX_ITEMS} items]`);
+        }
+        return visibleItems;
+    }
+    if (isWeakCollection(value)) {
+        return `[${getPrivacyConstructorName(value)}: uninspectable]`;
+    }
+    if (value instanceof Error) {
+        const output = {
+            name: value.name,
+            code: typeof value.code === 'string' || typeof value.code === 'number'
+                ? String(value.code)
+                : undefined,
+            status: typeof value.status === 'number'
+                ? value.status
+                : typeof value.statusCode === 'number'
+                    ? value.statusCode
+                    : undefined,
+            message: typeof value.message === 'string'
+                ? await transformValueAsync(policy, surface, value.message, context, path.concat('message'), 'SUMMARIZE')
+                : undefined,
+        };
+        return output;
+    }
+    if (value && typeof value === 'object') {
+        if (depth >= SUMMARY_MAX_DEPTH) {
+            return '[truncated object depth]';
+        }
+        const keys = Object.keys(value);
+        const visibleKeys = keys.slice(0, SUMMARY_MAX_KEYS);
+        const fields = {};
+        for (const key of visibleKeys) {
+            fields[key] = await transformValueAsync(policy, surface, value[key], context, path.concat(key), 'SUMMARIZE');
+        }
+        if (keys.length > SUMMARY_MAX_KEYS) {
+            fields.__reproTruncatedKeys = keys.length - SUMMARY_MAX_KEYS;
+        }
+        return fields;
+    }
+    return value;
+}
+function applyKnownTextPolicy(policy, value, context, surface, path) {
+    if (policy.mode !== 'KNOWN_TEMPLATE' || !policy.fragments.length) {
+        return sanitizeTextWithKnownDetectorsSync(value, path);
+    }
+    let cursor = 0;
+    let output = '';
+    for (let index = 0; index < policy.fragments.length; index += 1) {
+        const fragment = policy.fragments[index];
+        if (fragment.kind === 'literal') {
+            if (!value.startsWith(fragment.text, cursor)) {
+                return sanitizeTextWithKnownDetectorsSync(value, path);
+            }
+            output += fragment.text;
+            cursor += fragment.text.length;
+            continue;
+        }
+        const nextLiteral = findNextLiteral(policy.fragments, index + 1);
+        const end = nextLiteral ? value.indexOf(nextLiteral.text, cursor) : value.length;
+        if (end < 0) {
+            return sanitizeTextWithKnownDetectorsSync(value, path);
+        }
+        const raw = value.slice(cursor, end);
+        output += applyTextSlotAction(fragment, raw, context, surface, path, index);
+        cursor = end;
+    }
+    return cursor === value.length ? normalizePrivacyReplacementSpacing(output) : sanitizeTextWithKnownDetectorsSync(value, path);
+}
+function applyTextSlotAction(fragment, raw, context, surface, path, index) {
+    switch (fragment.action) {
+        case 'KEEP_EXACT':
+            return keepExactExceptKnownSensitiveText(raw);
+        case 'TOKENIZE':
+            return String(tokenizeValue(raw, context, surface, path.concat(fragment.label ?? `slot${index}`)));
+        case 'DROP':
+            return '[dropped]';
+        case 'PARTIAL_MASK':
+        default:
+            return partiallyMaskUnknownString(raw);
+    }
+}
+function keepExactExceptKnownSensitiveText(value) {
+    const spans = detectSensitiveTextSpans(value);
+    if (!spans.length) {
+        return value;
+    }
+    let cursor = 0;
+    let output = '';
+    for (const span of spans) {
+        if (span.start > cursor) {
+            output += value.slice(cursor, span.start);
+        }
+        output += span.replacement;
+        cursor = span.end;
+    }
+    if (cursor < value.length) {
+        output += value.slice(cursor);
+    }
+    return normalizePrivacyReplacementSpacing(output);
+}
+function sanitizeRawTextExactSync(policy, value, context, surface, path, rawTextHintNames) {
+    const hinted = applyRawTextHints(value, selectRawTextHints(policy.rawTextHints, rawTextHintNames), context, surface, path);
+    return sanitizeTextWithKnownDetectorsSync(hinted, path);
+}
+function selectRawTextHints(hints, rawTextHintNames) {
+    if (!rawTextHintNames?.length) {
+        return hints;
+    }
+    const allowed = new Set(rawTextHintNames.map((name) => name.trim()).filter(Boolean));
+    const selected = hints.filter((hint) => allowed.has(hint.name));
+    return selected.length ? selected : hints;
+}
+function applyRawTextHints(value, hints, context, surface, path) {
+    if (!value || !hints.length) {
+        return normalizePrivacyReplacementSpacing(value);
+    }
+    const spans = [];
+    for (const hint of sortRawTextHintsForPath(hints, path)) {
+        collectRawTextHintSpans(value, hint, context, surface, path, spans);
+    }
+    if (!spans.length) {
+        return normalizePrivacyReplacementSpacing(value);
+    }
+    let cursor = 0;
+    let output = '';
+    for (const span of mergeSpans(spans)) {
+        if (span.start > cursor) {
+            output += value.slice(cursor, span.start);
+        }
+        output += span.replacement;
+        cursor = span.end;
+    }
+    if (cursor < value.length) {
+        output += value.slice(cursor);
+    }
+    return normalizePrivacyReplacementSpacing(output);
+}
+function sortRawTextHintsForPath(hints, path) {
+    const normalizedPath = normalizeRawTextHintNeedle(path.join('.'));
+    return hints.slice().sort((left, right) => rawTextHintPathScore(left, normalizedPath) - rawTextHintPathScore(right, normalizedPath));
+}
+function rawTextHintPathScore(hint, normalizedPath) {
+    const tokenLabel = normalizeRawTextHintNeedle(hint.tokenLabel);
+    const name = normalizeRawTextHintNeedle(hint.name);
+    if (tokenLabel && normalizedPath.includes(tokenLabel))
+        return 0;
+    if (name && normalizedPath.includes(name))
+        return 1;
+    return 2;
+}
+function normalizeRawTextHintNeedle(value) {
+    return value.toLowerCase().replace(/[^a-z0-9]+/g, '');
+}
+function collectRawTextHintSpans(value, hint, context, surface, path, out) {
+    const pattern = new RegExp(hint.pattern.source, hint.pattern.flags.includes('g') ? hint.pattern.flags : `${hint.pattern.flags}g`);
+    let match;
+    let guard = 0;
+    while ((match = pattern.exec(value))) {
+        const matched = match[0];
+        if (!matched) {
+            pattern.lastIndex += 1;
+            if (pattern.lastIndex > value.length || guard++ > 1000) {
+                break;
+            }
+            continue;
+        }
+        out.push({
+            start: match.index,
+            end: match.index + matched.length,
+            replacement: hint.action === 'DROP'
+                ? '[dropped]'
+                : String(tokenizeValue(matched, context, surface, path.concat(hint.tokenLabel))),
+        });
+        guard += 1;
+        if (guard > 1000) {
+            break;
+        }
+    }
+}
+function findNextLiteral(fragments, startIndex) {
+    for (let index = startIndex; index < fragments.length; index += 1) {
+        const fragment = fragments[index];
+        if (fragment.kind === 'literal') {
+            return fragment;
+        }
+    }
+    return null;
+}
+function partiallyMaskUnknownString(value) {
+    if (!value) {
+        return value;
+    }
+    const spans = detectSensitiveTextSpans(value);
+    if (!spans.length) {
+        return maskGeneralTextSegment(value);
+    }
+    let cursor = 0;
+    let output = '';
+    for (const span of spans) {
+        if (span.start > cursor) {
+            output += maskGeneralTextSegment(value.slice(cursor, span.start));
+        }
+        output += span.replacement;
+        cursor = span.end;
+    }
+    if (cursor < value.length) {
+        output += maskGeneralTextSegment(value.slice(cursor));
+    }
+    return normalizePrivacyReplacementSpacing(output);
+}
+function normalizePrivacyReplacementSpacing(value) {
+    if (!value) {
+        return value;
+    }
+    const bracketMarker = String.raw `(?:\[(?:dropped|secret-token|connection-string|auth-token|session-secret|private-key|basic-auth|jwt|credit-card|phone|person|ssn|masked)\])`;
+    const tokenMarker = String.raw `(?:email_tok_[a-f0-9]{8,}|[A-Za-z][A-Za-z0-9_.-]*_tok_[a-f0-9]{8,})`;
+    const glueWord = String.raw `(?:for|from|by|to|with|owner|user|customer|operator|account|email|name)`;
+    const suffixGlueWord = String.raw `(?:and|or|on|for|from|to|with|can|was|were|is|in|by)`;
+    return value
+        .replace(new RegExp(`([A-Za-z0-9])(${bracketMarker})`, 'g'), '$1 $2')
+        .replace(new RegExp(`(${bracketMarker})([A-Za-z0-9])`, 'g'), '$1 $2')
+        .replace(new RegExp(`\\b(${glueWord})(${tokenMarker})`, 'gi'), '$1 $2')
+        .replace(new RegExp(`(${tokenMarker})(${suffixGlueWord})\\b`, 'gi'), '$1 $2');
+}
+function shouldRunAsyncStringDetector(statement, fallback, value, path) {
+    if (!value || value.length < 8) {
+        return false;
+    }
+    return mergeRawTextMode(statement?.rawTextMode, fallback?.rawTextMode) === 'SAFE_PARTIAL_MASK';
+}
+function hasPotentialSensitiveLeak(value) {
+    if (!value) {
+        return false;
+    }
+    if (looksLikeEmail(value) ||
+        looksLikeConnectionString(value) ||
+        containsJwtLikeText(value) ||
+        containsBearerAuthText(value) ||
+        containsBasicAuthText(value) ||
+        containsPrivateKeyBlock(value)) {
+        return true;
+    }
+    if (containsCreditCardLikeText(value)) {
+        return true;
+    }
+    return false;
+}
+function shouldKeepOperationalStringExact(value, path = []) {
+    const trimmed = value.trim();
+    if (!trimmed) {
+        return true;
+    }
+    const comparablePath = normalizeComparablePath(path);
+    if (comparablePath && SUMMARY_UNSAFE_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return false;
+    }
+    if (comparablePath && DROP_SAFETY_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return false;
+    }
+    if (comparablePath && OPERATIONAL_SAFE_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return true;
+    }
+    if (comparablePath && OPERATIONAL_TIMESTAMP_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return looksLikeOperationalTimestamp(trimmed);
+    }
+    if (comparablePath && OPERATIONAL_COUNT_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return isOperationalNumericScalar(trimmed);
+    }
+    if (comparablePath && OPERATIONAL_ENUM_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return isLowRiskOperationalScalar(trimmed);
+    }
+    if (containsObviousSensitiveText(trimmed)) {
+        return false;
+    }
+    return OPERATIONAL_ID_VALUE_PATTERNS.some((pattern) => pattern.test(trimmed));
+}
+function containsObviousSensitiveText(value) {
+    if (looksLikeEmail(value) ||
+        looksLikeConnectionString(value) ||
+        containsJwtLikeText(value) ||
+        containsBearerAuthText(value) ||
+        containsBasicAuthText(value) ||
+        containsPrivateKeyBlock(value)) {
+        return true;
+    }
+    if (/@/.test(value) || /:\/\/\S+/.test(value)) {
+        return true;
+    }
+    if (containsCreditCardLikeText(value)) {
+        return true;
+    }
+    return false;
+}
+function shouldKeepExactUnknownSummaryString(value, path) {
+    if (!value) {
+        return true;
+    }
+    if (shouldKeepOperationalStringExact(value, path)) {
+        return true;
+    }
+    const comparablePath = normalizeComparablePath(path);
+    if (!comparablePath) {
+        return false;
+    }
+    if (SUMMARY_UNSAFE_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return false;
+    }
+    if (SUMMARY_SAFE_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return true;
+    }
+    return false;
+}
+function shouldKeepSafePartialMaskStringExact(value, path) {
+    const trimmed = value.trim();
+    if (!trimmed) {
+        return true;
+    }
+    if (shouldKeepOperationalStringExact(value, path)) {
+        return true;
+    }
+    const comparablePath = normalizeComparablePath(path);
+    if (!comparablePath) {
+        return false;
+    }
+    if (SUMMARY_UNSAFE_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath)) ||
+        DROP_SAFETY_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath)) ||
+        TOKENIZE_SAFETY_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath)) ||
+        containsObviousSensitiveText(trimmed)) {
+        return false;
+    }
+    if (OPERATIONAL_TIMESTAMP_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return looksLikeOperationalTimestamp(trimmed) || isLowRiskOperationalScalar(trimmed);
+    }
+    if (OPERATIONAL_COUNT_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return isOperationalNumericScalar(trimmed);
+    }
+    if (OPERATIONAL_ENUM_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath))) {
+        return isLowRiskOperationalScalar(trimmed);
+    }
+    return false;
+}
+function isLowRiskOperationalScalar(value) {
+    if (!value || value.length > 96) {
+        return false;
+    }
+    if (/\s/.test(value)) {
+        return false;
+    }
+    if (containsObviousSensitiveText(value)) {
+        return false;
+    }
+    return /^[A-Za-z0-9_.:/-]+$/.test(value);
+}
+function isOperationalNumericScalar(value) {
+    return /^[+-]?\d+(?:\.\d+)?$/.test(value.trim());
+}
+function looksLikeOperationalTimestamp(value) {
+    const trimmed = value.trim();
+    return (/^\d{4}-\d{2}-\d{2}(?:[T ][0-2]\d:[0-5]\d(?::[0-5]\d(?:\.\d{1,9})?)?(?:Z|[+-][0-2]\d:?[0-5]\d)?)?$/.test(trimmed) ||
+        /^\d{10,14}$/.test(trimmed));
+}
+function isSummaryUnsafePath(path) {
+    const comparablePath = normalizeComparablePath(path);
+    return Boolean(comparablePath &&
+        SUMMARY_UNSAFE_PATH_PATTERNS.some((pattern) => pattern.test(comparablePath)));
+}
+function sanitizeTextWithKnownDetectorsSync(value, path = []) {
+    if (shouldKeepOperationalStringExact(value, path)) {
+        return value;
+    }
+    const structured = sanitizeSerializedStructuredText(value, path);
+    if (structured !== null) {
+        return structured;
+    }
+    let output = value;
+    output = (0, privacy_redaction_1.redactEmailsInText)(output);
+    output = replaceCreditCardCandidates(output, () => '[credit-card]');
+    output = replaceJwtLikeText(output);
+    output = replaceBearerAuthText(output);
+    output = replaceBasicAuthText(output);
+    output = replacePrivateKeyBlocks(output);
+    output = output.replace(/\b(?:postgres(?:ql)?|mysql|mongodb(?:\+srv)?|redis):\/\/[^\s"']+/gi, '[connection-string]');
+    return normalizePrivacyReplacementSpacing(output);
+}
+function sanitizeSerializedStructuredText(value, path = []) {
+    const parsed = parseSerializedStructuredText(value);
+    if (parsed === null) {
+        return null;
+    }
+    try {
+        const sanitized = sanitizeStructuredValueWithKnownDetectors(parsed, path);
+        if (!sanitized.changed) {
+            return null;
+        }
+        return JSON.stringify(sanitized.value);
+    }
+    catch {
+        return null;
+    }
+}
+function parseSerializedStructuredText(value) {
+    if (value.length > SERIALIZED_STRUCTURED_TEXT_MAX_LENGTH) {
+        return null;
+    }
+    const trimmed = value.trim();
+    if (!trimmed || (trimmed[0] !== '{' && trimmed[0] !== '[')) {
+        return null;
+    }
+    try {
+        const parsed = JSON.parse(trimmed);
+        if (parsed === null || typeof parsed !== 'object') {
+            return null;
+        }
+        return parsed;
+    }
+    catch {
+        return null;
+    }
+}
+function sanitizeStructuredValueWithKnownDetectors(value, path) {
+    const objectId = coercePrivacyObjectId(value);
+    if (objectId !== null) {
+        return { value: objectId, changed: true };
+    }
+    if (Array.isArray(value)) {
+        let changed = false;
+        const next = value.map((item, index) => {
+            const sanitized = sanitizeStructuredValueWithKnownDetectors(item, path.concat(String(index)));
+            changed = changed || sanitized.changed;
+            return sanitized.value;
+        });
+        return { value: next, changed };
+    }
+    if (value && typeof value === 'object') {
+        let changed = false;
+        const next = {};
+        for (const [key, child] of Object.entries(value)) {
+            const sanitized = sanitizeStructuredValueWithKnownDetectors(child, path.concat(key));
+            changed = changed || sanitized.changed;
+            next[key] = sanitized.value;
+        }
+        return { value: next, changed };
+    }
+    const floorAction = deriveSensitiveLeafFloorAction(value, path);
+    if (floorAction === 'DROP') {
+        return { value: '[dropped]', changed: true };
+    }
+    if (floorAction === 'TOKENIZE') {
+        if (typeof value === 'string' && isAlreadyPrivacyToken(value)) {
+            return { value, changed: false };
+        }
+        if (typeof value === 'string' && looksLikeEmail(value)) {
+            return { value: (0, privacy_redaction_1.redactEmailDeterministic)(value), changed: true };
+        }
+        const leaf = path[path.length - 1] || 'value';
+        const token = (0, crypto_1.createHash)('sha256')
+            .update(`repro|${normalizeComparablePath(path)}|${stableStringify(value)}`)
+            .digest('hex')
+            .slice(0, 12);
+        return { value: `${leaf}_tok_${token}`, changed: true };
+    }
+    if (typeof value === 'string') {
+        const sanitized = sanitizeTextWithKnownDetectorsSync(value, path);
+        if (sanitized !== value) {
+            return { value: sanitized, changed: true };
+        }
+    }
+    return { value, changed: false };
+}
+function looksLikeSentenceText(value) {
+    const trimmed = value.trim();
+    if (trimmed.length < 12) {
+        return false;
+    }
+    if (!/\s/.test(trimmed)) {
+        return false;
+    }
+    if (/^[A-Za-z0-9_-]+$/.test(trimmed)) {
+        return false;
+    }
+    return /[A-Za-z]/.test(trimmed);
+}
+function maskGeneralTextSegment(value) {
+    const placeholderPattern = /\[[a-z-]+\]/gi;
+    let cursor = 0;
+    let output = '';
+    let match;
+    while ((match = placeholderPattern.exec(value))) {
+        if (match.index > cursor) {
+            output += maskPlainTextTokens(value.slice(cursor, match.index));
+        }
+        output += match[0];
+        cursor = match.index + match[0].length;
+    }
+    if (cursor < value.length) {
+        output += maskPlainTextTokens(value.slice(cursor));
+    }
+    return output;
+}
+function maskPlainTextTokens(value) {
+    return value.replace(/[A-Za-z0-9]+(?:[._:/-][A-Za-z0-9]+)*/g, (token) => partiallyMaskToken(token));
+}
+function partiallyMaskToken(token) {
+    const length = token.length;
+    if (isAlreadyPrivacyToken(token)) {
+        return token;
+    }
+    if (shouldKeepOperationalStringExact(token)) {
+        return token;
+    }
+    if (EXACT_GLUE_WORDS.has(token.toLowerCase())) {
+        return token;
+    }
+    if (length <= 3) {
+        return '...';
+    }
+    if (/^[A-Za-z]+$/.test(token)) {
+        return maskTokenMiddle(token, alphabeticMaskBounds(length));
+    }
+    return maskTokenMiddle(token, mixedMaskBounds(length));
+}
+function alphabeticMaskBounds(length) {
+    if (length <= 4) {
+        return { prefixLength: 1, suffixLength: 1 };
+    }
+    if (length <= 6) {
+        return { prefixLength: 2, suffixLength: 2 };
+    }
+    if (length <= 8) {
+        return { prefixLength: 3, suffixLength: 2 };
+    }
+    return { prefixLength: 3, suffixLength: 3 };
+}
+function mixedMaskBounds(length) {
+    if (length <= 5) {
+        return { prefixLength: 1, suffixLength: 1 };
+    }
+    if (length <= 8) {
+        return { prefixLength: 2, suffixLength: 2 };
+    }
+    return { prefixLength: 3, suffixLength: 3 };
+}
+function maskTokenMiddle(token, bounds) {
+    const prefixLength = Math.min(bounds.prefixLength, token.length);
+    const suffixLength = Math.min(bounds.suffixLength, Math.max(0, token.length - prefixLength - 1));
+    if (prefixLength + suffixLength >= token.length) {
+        return `${token.slice(0, 1)}..${token.slice(-1)}`;
+    }
+    return `${token.slice(0, prefixLength)}..${token.slice(token.length - suffixLength)}`;
+}
+function detectSensitiveTextSpans(value) {
+    const spans = [];
+    collectPatternSpans(value, /[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}/gi, (match) => maskEmail(match), spans);
+    collectCreditCardSpans(value, spans);
+    return mergeSpans(spans);
+}
+function collectPatternSpans(value, pattern, replacer, out) {
+    let match;
+    const globalPattern = new RegExp(pattern.source, pattern.flags.includes('g') ? pattern.flags : `${pattern.flags}g`);
+    while ((match = globalPattern.exec(value))) {
+        const matched = match[0];
+        if (!matched) {
+            continue;
+        }
+        out.push({
+            start: match.index,
+            end: match.index + matched.length,
+            replacement: replacer(matched),
+        });
+    }
+}
+function collectCreditCardSpans(value, out) {
+    const pattern = /\b(?:\d[ -]*?){13,19}\b/g;
+    let match;
+    while ((match = pattern.exec(value))) {
+        const matched = match[0];
+        if (!matched ||
+            shouldPreserveNumericCandidateInText(value, match.index, matched) ||
+            !isLuhnValidCardCandidate(matched)) {
+            continue;
+        }
+        out.push({
+            start: match.index,
+            end: match.index + matched.length,
+            replacement: maskCardLikeValue(matched),
+        });
+    }
+}
+function containsCreditCardLikeText(value) {
+    const pattern = /\b(?:\d[ -]*?){13,19}\b/g;
+    let match;
+    while ((match = pattern.exec(value))) {
+        if (match[0] && isLuhnValidCardCandidate(match[0])) {
+            return true;
+        }
+    }
+    return false;
+}
+function replaceCreditCardCandidates(value, replacer) {
+    return value.replace(/\b(?:\d[ -]*?){13,19}\b/g, (match, offset, fullText) => {
+        if (shouldPreserveNumericCandidateInText(String(fullText), Number(offset), match)) {
+            return match;
+        }
+        if (!isLuhnValidCardCandidate(match)) {
+            return match;
+        }
+        return replacer(match);
+    });
+}
+function shouldPreserveNumericCandidateInText(value, start, match) {
+    const token = expandTokenAround(value, start, start + match.length);
+    if (!token) {
+        return false;
+    }
+    if (/^\d{10,14}-[a-z0-9]+(?:-[a-z0-9]+)?$/i.test(token)) {
+        return true;
+    }
+    if (/^(?:req|rid|trace|span|request|event)[-_]?\d{10,}/i.test(token)) {
+        return true;
+    }
+    if (/^\d{10,14}$/.test(token) && !isLuhnValidCardCandidate(token)) {
+        return true;
+    }
+    return shouldKeepOperationalStringExact(token);
+}
+function isLuhnValidCardCandidate(value) {
+    const digits = value.replace(/\D/g, '');
+    if (digits.length < 13 || digits.length > 19) {
+        return false;
+    }
+    let sum = 0;
+    let doubleDigit = false;
+    for (let index = digits.length - 1; index >= 0; index -= 1) {
+        let digit = Number(digits[index]);
+        if (!Number.isInteger(digit)) {
+            return false;
+        }
+        if (doubleDigit) {
+            digit *= 2;
+            if (digit > 9) {
+                digit -= 9;
+            }
+        }
+        sum += digit;
+        doubleDigit = !doubleDigit;
+    }
+    return sum % 10 === 0;
+}
+function expandTokenAround(value, start, end) {
+    let left = start;
+    while (left > 0 && /[A-Za-z0-9_-]/.test(value[left - 1])) {
+        left -= 1;
+    }
+    let right = end;
+    while (right < value.length && /[A-Za-z0-9_-]/.test(value[right])) {
+        right += 1;
+    }
+    return value.slice(left, right);
+}
+function mergeSpans(spans) {
+    const sorted = spans.slice().sort((left, right) => left.start - right.start || left.end - right.end);
+    const merged = [];
+    for (const span of sorted) {
+        const last = merged[merged.length - 1];
+        if (!last || span.start >= last.end) {
+            merged.push(span);
+            continue;
+        }
+        if (span.end > last.end) {
+            last.end = span.end;
+            last.replacement = span.replacement;
+        }
+    }
+    return merged;
+}
+function maskEmail(value) {
+    return (0, privacy_redaction_1.redactEmailDeterministic)(value);
+}
+function maskCardLikeValue(value) {
+    const digits = value.replace(/\D/g, '');
+    if (!digits.length) {
+        return '[masked]';
+    }
+    if (digits.length <= 4) {
+        return `${digits.slice(0, 1)}...${digits.slice(-1)}`;
+    }
+    return `${digits.slice(0, 2)}...${digits.slice(-2)}`;
+}
+function stableToken(namespace, value, context) {
+    const secret = context.appSecret || context.appId || 'repro';
+    const material = `${secret}|${namespace}|${stableStringify(value)}`;
+    return (0, crypto_1.createHash)('sha256').update(material).digest('hex').slice(0, 12);
+}
+function stableStringify(value) {
+    if (value === undefined)
+        return 'undefined';
+    if (value === null)
+        return 'null';
+    if (typeof value === 'string' || typeof value === 'number' || typeof value === 'boolean') {
+        return String(value);
+    }
+    if (typeof value === 'bigint') {
+        return `${value.toString()}n`;
+    }
+    if (Array.isArray(value)) {
+        return `[${value.map((item) => stableStringify(item)).join(',')}]`;
+    }
+    if (value && typeof value === 'object') {
+        return `{${Object.keys(value).sort().map((key) => `${key}:${stableStringify(value[key])}`).join(',')}}`;
+    }
+    return String(value);
+}
+function coercePrivacyObjectId(value) {
+    if (value === null || value === undefined) {
+        return null;
+    }
+    if (typeof value === 'string') {
+        const direct = normalizePrivacyObjectIdString(value);
+        return direct && /^[0-9a-f]{24}$/i.test(direct) ? direct.toLowerCase() : null;
+    }
+    if (typeof value !== 'object') {
+        return null;
+    }
+    const bsonType = typeof value?._bsontype === 'string' ? String(value._bsontype).toLowerCase() : '';
+    const ctorName = typeof value?.constructor?.name === 'string' ? String(value.constructor.name).toLowerCase() : '';
+    const looksLikeObjectId = bsonType.includes('objectid') ||
+        ctorName === 'objectid' ||
+        typeof value.toHexString === 'function';
+    const fromBufferShape = coercePrivacyObjectIdFromBufferShape(value, looksLikeObjectId);
+    if (fromBufferShape) {
+        return fromBufferShape;
+    }
+    if (typeof value.$oid === 'string') {
+        const oid = normalizePrivacyObjectIdString(value.$oid);
+        if (oid && /^[0-9a-f]{24}$/i.test(oid)) {
+            return oid.toLowerCase();
+        }
+    }
+    try {
+        if (typeof value.toHexString === 'function') {
+            const hex = normalizePrivacyObjectIdString(value.toHexString());
+            if (hex && /^[0-9a-f]{24}$/i.test(hex)) {
+                return hex.toLowerCase();
+            }
+        }
+    }
+    catch { }
+    try {
+        if (typeof value.toString === 'function') {
+            const text = normalizePrivacyObjectIdString(value.toString());
+            if (text && /^[0-9a-f]{24}$/i.test(text)) {
+                return text.toLowerCase();
+            }
+        }
+    }
+    catch { }
+    return looksLikeObjectId ? '[mongo-id]' : null;
+}
+function normalizePrivacyObjectIdString(value) {
+    if (value === null || value === undefined) {
+        return null;
+    }
+    const text = String(value).trim();
+    if (!text || text === '[object Object]') {
+        return null;
+    }
+    return text;
+}
+function coercePrivacyObjectIdFromBufferShape(value, includeIdCandidate = false) {
+    const decode = (source) => {
+        if (!source) {
+            return null;
+        }
+        if (typeof source === 'string') {
+            const normalized = normalizePrivacyObjectIdString(source);
+            return normalized && /^[0-9a-f]{24}$/i.test(normalized) ? normalized.toLowerCase() : null;
+        }
+        if ((typeof Buffer !== 'undefined' && Buffer.isBuffer(source)) ||
+            source instanceof Uint8Array) {
+            if (source.length !== 12) {
+                return null;
+            }
+            try {
+                return Buffer.from(source).toString('hex');
+            }
+            catch {
+                return null;
+            }
+        }
+        const bytes = Array.isArray(source)
+            ? source
+            : typeof source === 'object' && source?.type === 'Buffer' && Array.isArray(source?.data)
+                ? source.data
+                : typeof source === 'object'
+                    ? Object.keys(source)
+                        .filter((key) => /^\d+$/.test(key))
+                        .sort((left, right) => Number(left) - Number(right))
+                        .map((key) => source[key])
+                    : null;
+        if (!Array.isArray(bytes) || bytes.length !== 12) {
+            return null;
+        }
+        const normalized = bytes.map((byte) => Number(byte));
+        if (normalized.some((byte) => !Number.isInteger(byte) || byte < 0 || byte > 255)) {
+            return null;
+        }
+        try {
+            return Buffer.from(normalized).toString('hex');
+        }
+        catch {
+            return null;
+        }
+    };
+    const candidates = includeIdCandidate
+        ? [value, value.buffer, value.id, value.$oid]
+        : [value, value.buffer, value.$oid];
+    for (const candidate of candidates) {
+        const decoded = decode(candidate);
+        if (decoded) {
+            return decoded;
+        }
+    }
+    return null;
+}
+function looksLikeEmail(value) {
+    return /^[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}$/i.test(value.trim());
+}
+function looksLikeConnectionString(value) {
+    return /^(?:mongodb(?:\+srv)?|postgres(?:ql)?|mysql|redis|amqp):\/\/\S+$/i.test(value);
+}
+function containsJwtLikeText(value) {
+    return /\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/.test(value);
+}
+function replaceJwtLikeText(value) {
+    return value.replace(/\beyJ[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b/g, '[jwt]');
+}
+function containsBearerAuthText(value) {
+    return /\bBearer\s+(?!\[(?:dropped|auth-token)\])[A-Za-z0-9._\-+/=]{8,}/i.test(value);
+}
+function replaceBearerAuthText(value) {
+    return value.replace(/\bBearer\s+(?!\[(?:dropped|auth-token)\])[A-Za-z0-9._\-+/=]{8,}/gi, '[auth-token]');
+}
+function containsBasicAuthText(value) {
+    return /\bBasic\s+(?!\[(?:dropped|basic-auth)\])[A-Za-z0-9+/=]{8,}/i.test(value);
+}
+function replaceBasicAuthText(value) {
+    return value.replace(/\bBasic\s+(?!\[(?:dropped|basic-auth)\])[A-Za-z0-9+/=]{8,}/gi, '[basic-auth]');
+}
+function containsPrivateKeyBlock(value) {
+    return /-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----/.test(value);
+}
+function replacePrivateKeyBlocks(value) {
+    return value.replace(/-----BEGIN [A-Z ]*PRIVATE KEY-----[\s\S]+?-----END [A-Z ]*PRIVATE KEY-----/g, '[private-key]');
+}
+function normalizeTextPolicy(input) {
+    if (!input || typeof input !== 'object') {
+        return undefined;
+    }
+    const policy = input;
+    if (policy.mode !== 'KNOWN_TEMPLATE' || !Array.isArray(policy.fragments) || !policy.fragments.length) {
+        return undefined;
+    }
+    const fragments = policy.fragments
+        .map((fragment) => normalizeTextFragment(fragment))
+        .filter((fragment) => fragment !== null);
+    if (!fragments.length) {
+        return undefined;
+    }
+    return {
+        mode: 'KNOWN_TEMPLATE',
+        fragments,
+    };
+}
+function normalizeTextFragment(input) {
+    if (!input || typeof input !== 'object') {
+        return null;
+    }
+    const fragment = input;
+    if (fragment.kind === 'literal') {
+        return typeof fragment.text === 'string' && fragment.text.length
+            ? { kind: 'literal', text: fragment.text }
+            : null;
+    }
+    if (fragment.kind === 'slot') {
+        if (fragment.action !== 'KEEP_EXACT' &&
+            fragment.action !== 'TOKENIZE' &&
+            fragment.action !== 'PARTIAL_MASK' &&
+            fragment.action !== 'DROP') {
+            return null;
+        }
+        return {
+            kind: 'slot',
+            label: typeof fragment.label === 'string' && fragment.label.trim() ? fragment.label.trim() : undefined,
+            action: fragment.action,
+        };
+    }
+    return null;
+}
+function normalizeRawTextMode(input) {
+    return input === 'SAFE_PARTIAL_MASK' || input === 'REGEX_ASSISTED_EXACT'
+        ? input
+        : undefined;
+}
+function normalizeRawTextHints(input) {
+    if (!Array.isArray(input)) {
+        return [];
+    }
+    const out = [];
+    for (const entry of input) {
+        const hint = normalizeRawTextHint(entry);
+        if (hint) {
+            out.push(hint);
+        }
+    }
+    return out.slice(0, 50);
+}
+function normalizeRawTextHintNames(input) {
+    if (!Array.isArray(input)) {
+        return undefined;
+    }
+    const names = input
+        .map((value) => (typeof value === 'string' ? value.trim() : ''))
+        .filter(Boolean);
+    return names.length ? Array.from(new Set(names)).slice(0, 50) : undefined;
+}
+function normalizeRawTextHint(input) {
+    if (!input || typeof input !== 'object') {
+        return null;
+    }
+    const record = input;
+    if (record.scope !== 'RAW_TEXT_ONLY') {
+        return null;
+    }
+    const action = record.action;
+    if (action !== 'TOKENIZE' && action !== 'DROP') {
+        return null;
+    }
+    const patternText = typeof record.regex === 'string'
+        ? record.regex
+        : typeof record.pattern === 'string'
+            ? record.pattern
+            : '';
+    if (!isSafeRawTextRegexPattern(patternText)) {
+        return null;
+    }
+    const pattern = safeRegExp(patternText);
+    if (!pattern) {
+        return null;
+    }
+    const name = typeof record.name === 'string' && record.name.trim()
+        ? record.name.trim()
+        : 'rawTextHint';
+    const tokenLabel = normalizeTokenLabel(typeof record.tokenLabel === 'string' && record.tokenLabel.trim()
+        ? record.tokenLabel
+        : name);
+    return {
+        name,
+        action,
+        pattern,
+        tokenLabel,
+    };
+}
+function isSafeRawTextRegexPattern(pattern) {
+    const trimmed = pattern.trim();
+    if (!trimmed || trimmed.length > 500) {
+        return false;
+    }
+    if (trimmed === '.*' || trimmed === '.+' || trimmed === '[\\s\\S]*' || trimmed === '[\\s\\S]+') {
+        return false;
+    }
+    if (/\(\?<?[=!]/.test(trimmed)) {
+        return false;
+    }
+    if (/\.\s*[+*{]/.test(trimmed)) {
+        return false;
+    }
+    if (/\[[^\]]+\]\s*[+*]/.test(trimmed)) {
+        return false;
+    }
+    if (/\[[^\]]+\]\s*\{\d+,\}/.test(trimmed)) {
+        return false;
+    }
+    if (/\([^)]*[+*][^)]*\)\s*[+*{]/.test(trimmed)) {
+        return false;
+    }
+    return true;
+}
+function normalizeTokenLabel(value) {
+    const normalized = value
+        .trim()
+        .replace(/[^A-Za-z0-9_]+/g, '_')
+        .replace(/^_+|_+$/g, '');
+    return normalized || 'rawTextHint';
+}
+function safeRegExp(pattern) {
+    try {
+        const inlineFlags = pattern.match(/^\(\?([imsu]+)\)/i);
+        if (inlineFlags) {
+            const normalizedFlags = Array.from(new Set(inlineFlags[1].toLowerCase().split(''))).join('');
+            return new RegExp(pattern.slice(inlineFlags[0].length), normalizedFlags);
+        }
+        return new RegExp(pattern);
+    }
+    catch {
+        return undefined;
+    }
+}